npm - @matter/protocol - Versions diffs - 0.15.0-alpha.0-20250616-4b3754906 → 0.15.0-alpha.0-20250619-df2264f15 - Mend

@matter/protocol 0.15.0-alpha.0-20250616-4b3754906 → 0.15.0-alpha.0-20250619-df2264f15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

package/dist/esm/certificate/kinds/Noc.js ADDED Viewed

@@ -0,0 +1,128 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Bytes, Diagnostic, PublicKey } from "#general";
+import { CaseAuthenticatedTag, FabricId, NodeId } from "#types";
+import { CertificateError } from "./common.js";
+import { OperationalCertificate } from "./definitions/operational.js";
+import { OperationalBase } from "./OperationalBase.js";
+class Noc extends OperationalBase {
+  /** Construct the class from a Tlv version of the certificate */
+  static fromTlv(tlv) {
+    return new Noc(OperationalCertificate.TlvNoc.decode(tlv));
+  }
+  /** Validates all basic certificate fields on construction. */
+  validateFields() {
+    const {
+      issuer: { icacId, rcacId },
+      extensions: {
+        basicConstraints: { isCa }
+      }
+    } = this.cert;
+    if (icacId === void 0 && rcacId === void 0) {
+      throw new CertificateError("Issuer RCAC or ICAC ID must be defined for an operational certificate.");
+    }
+    if (isCa) {
+      throw new CertificateError("Node operational certificate must not be a CA.");
+    }
+  }
+  /**
+   * Encodes the certificate with the signature as Matter Tlv.
+   * If the certificate is not signed, it throws a CertificateError.
+   */
+  asSignedTlv() {
+    return OperationalCertificate.TlvNoc.encode({ ...this.cert, signature: this.signature });
+  }
+  /**
+   * Verify requirements a Matter Node Operational certificate must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  async verify(crypto, root, ica) {
+    this.generalVerify();
+    const {
+      subject,
+      extensions: { extendedKeyUsage, subjectKeyIdentifier, authorityKeyIdentifier }
+    } = this.cert;
+    const { nodeId, fabricId, caseAuthenticatedTags } = subject;
+    const {
+      subject: { fabricId: rootFabricId }
+    } = root.cert;
+    const {
+      subject: { fabricId: icaFabricId }
+    } = ica?.cert ?? { subject: {} };
+    if (nodeId === void 0 || Array.isArray(nodeId)) {
+      throw new CertificateError(`Invalid nodeId in NoC certificate: ${Diagnostic.json(nodeId)}`);
+    }
+    if (!NodeId.isOperationalNodeId(nodeId)) {
+      throw new CertificateError(`Invalid nodeId in NoC certificate: ${Diagnostic.json(nodeId)}`);
+    }
+    if (fabricId === void 0 || Array.isArray(fabricId)) {
+      throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+    }
+    if (fabricId === FabricId(0)) {
+      throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+    }
+    if ("icacId" in subject) {
+      throw new CertificateError(`Noc certificate must not contain an icacId.`);
+    }
+    if ("rcacId" in subject) {
+      throw new CertificateError(`Noc certificate must not contain an rcacId.`);
+    }
+    if (caseAuthenticatedTags !== void 0) {
+      CaseAuthenticatedTag.validateNocTagList(caseAuthenticatedTags);
+    }
+    if (rootFabricId !== void 0 && rootFabricId !== fabricId) {
+      throw new CertificateError(
+        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${Diagnostic.json(
+          rootFabricId
+        )} !== ${Diagnostic.json(fabricId)}`
+      );
+    }
+    if (icaFabricId !== void 0 && icaFabricId !== fabricId) {
+      throw new CertificateError(
+        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${Diagnostic.json(
+          icaFabricId
+        )} !== ${Diagnostic.json(fabricId)}`
+      );
+    }
+    if (this.cert.extensions.basicConstraints.isCa) {
+      throw new CertificateError(`Noc certificate must not have isCa set to true.`);
+    }
+    if (!this.cert.extensions.keyUsage.digitalSignature) {
+      throw new CertificateError(`Noc certificate must have keyUsage set to digitalSignature.`);
+    }
+    if (extendedKeyUsage === void 0 || !extendedKeyUsage.includes(1) && !extendedKeyUsage.includes(2)) {
+      throw new CertificateError(
+        `Noc certificate must have extendedKeyUsage with serverAuth and clientAuth: ${Diagnostic.json(extendedKeyUsage)}`
+      );
+    }
+    if (subjectKeyIdentifier === void 0) {
+      throw new CertificateError(`Noc certificate must have subjectKeyIdentifier set.`);
+    }
+    if (subjectKeyIdentifier.length !== 20) {
+      throw new CertificateError(`Noc certificate subjectKeyIdentifier must be 160 bit.`);
+    }
+    if (authorityKeyIdentifier === void 0) {
+      throw new CertificateError(`Noc certificate must have authorityKeyIdentifier set.`);
+    }
+    if (authorityKeyIdentifier.length !== 20) {
+      throw new CertificateError(`Noc certificate authorityKeyIdentifier must be 160 bit.`);
+    }
+    if (!Bytes.areEqual(authorityKeyIdentifier, (ica?.cert ?? root.cert).extensions.subjectKeyIdentifier)) {
+      throw new CertificateError(
+        `Noc certificate authorityKeyIdentifier must be equal to Root/Ica subjectKeyIdentifier.`
+      );
+    }
+    await crypto.verifyEcdsa(
+      PublicKey((ica?.cert ?? root.cert).ellipticCurvePublicKey),
+      this.asUnsignedAsn1(),
+      this.signature
+    );
+  }
+}
+export {
+  Noc
+};
+//# sourceMappingURL=Noc.js.map

package/dist/esm/certificate/kinds/Noc.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/Noc.ts"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,OAAe,YAAY,iBAAiB;AACrD,SAAS,sBAAsB,UAAU,cAAc;AACvD,SAAS,wBAAwB;AACjC,SAAS,8BAA8B;AAEvC,SAAS,uBAAuB;AAGzB,MAAM,YAAY,gBAA4C;AAAA;AAAA,EAEjE,OAAO,QAAQ,KAAiB;AAC5B,WAAO,IAAI,IAAI,uBAAuB,OAAO,OAAO,GAAG,CAAC;AAAA,EAC5D;AAAA;AAAA,EAGU,iBAAiB;AACvB,UAAM;AAAA,MACF,QAAQ,EAAE,QAAQ,OAAO;AAAA,MACzB,YAAY;AAAA,QACR,kBAAkB,EAAE,KAAK;AAAA,MAC7B;AAAA,IACJ,IAAI,KAAK;AACT,QAAI,WAAW,UAAa,WAAW,QAAW;AAC9C,YAAM,IAAI,iBAAiB,wEAAwE;AAAA,IACvG;AACA,QAAI,MAAM;AACN,YAAM,IAAI,iBAAiB,gDAAgD;AAAA,IAC/E;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc;AACV,WAAO,uBAAuB,OAAO,OAAO,EAAE,GAAG,KAAK,MAAM,WAAW,KAAK,UAAU,CAAC;AAAA,EAC3F;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,QAAgB,MAAY,KAAY;AACjD,SAAK,cAAc;AAEnB,UAAM;AAAA,MACF;AAAA,MACA,YAAY,EAAE,kBAAkB,sBAAsB,uBAAuB;AAAA,IACjF,IAAI,KAAK;AACT,UAAM,EAAE,QAAQ,UAAU,sBAAsB,IAAI;AACpD,UAAM;AAAA,MACF,SAAS,EAAE,UAAU,aAAa;AAAA,IACtC,IAAI,KAAK;AACT,UAAM;AAAA,MACF,SAAS,EAAE,UAAU,YAAY;AAAA,IACrC,IAAI,KAAK,QAAQ,EAAE,SAAS,CAAC,EAAE;AAG/B,QAAI,WAAW,UAAa,MAAM,QAAQ,MAAM,GAAG;AAC/C,YAAM,IAAI,iBAAiB,sCAAsC,WAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC9F;AAEA,QAAI,CAAC,OAAO,oBAAoB,MAAM,GAAG;AACrC,YAAM,IAAI,iBAAiB,sCAAsC,WAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC9F;AAGA,QAAI,aAAa,UAAa,MAAM,QAAQ,QAAQ,GAAG;AACnD,YAAM,IAAI,iBAAiB,wCAAwC,WAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,IAClG;AAEA,QAAI,aAAa,SAAS,CAAC,GAAG;AAC1B,YAAM,IAAI,iBAAiB,wCAAwC,WAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,IAClG;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,iBAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,iBAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,0BAA0B,QAAW;AACrC,2BAAqB,mBAAmB,qBAAqB;AAAA,IACjE;AAKA,QAAI,iBAAiB,UAAa,iBAAiB,UAAU;AACzD,YAAM,IAAI;AAAA,QACN,sFAAsF,WAAW;AAAA,UAC7F;AAAA,QACJ,CAAC,QAAQ,WAAW,KAAK,QAAQ,CAAC;AAAA,MACtC;AAAA,IACJ;AACA,QAAI,gBAAgB,UAAa,gBAAgB,UAAU;AACvD,YAAM,IAAI;AAAA,QACN,sFAAsF,WAAW;AAAA,UAC7F;AAAA,QACJ,CAAC,QAAQ,WAAW,KAAK,QAAQ,CAAC;AAAA,MACtC;AAAA,IACJ;AAGA,QAAI,KAAK,KAAK,WAAW,iBAAiB,MAAM;AAC5C,YAAM,IAAI,iBAAiB,iDAAiD;AAAA,IAChF;AAMA,QAAI,CAAC,KAAK,KAAK,WAAW,SAAS,kBAAkB;AACjD,YAAM,IAAI,iBAAiB,6DAA6D;AAAA,IAC5F;AAGA,QAAI,qBAAqB,UAAc,CAAC,iBAAiB,SAAS,CAAC,KAAK,CAAC,iBAAiB,SAAS,CAAC,GAAI;AACpG,YAAM,IAAI;AAAA,QACN,8EAA8E,WAAW,KAAK,gBAAgB,CAAC;AAAA,MACnH;AAAA,IACJ;AAGA,QAAI,yBAAyB,QAAW;AACpC,YAAM,IAAI,iBAAiB,qDAAqD;AAAA,IACpF;AACA,QAAI,qBAAqB,WAAW,IAAI;AACpC,YAAM,IAAI,iBAAiB,uDAAuD;AAAA,IACtF;AAGA,QAAI,2BAA2B,QAAW;AACtC,YAAM,IAAI,iBAAiB,uDAAuD;AAAA,IACtF;AACA,QAAI,uBAAuB,WAAW,IAAI;AACtC,YAAM,IAAI,iBAAiB,yDAAyD;AAAA,IACxF;AAGA,QAAI,CAAC,MAAM,SAAS,yBAAyB,KAAK,QAAQ,KAAK,MAAM,WAAW,oBAAoB,GAAG;AACnG,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,OAAO;AAAA,MACT,WAAW,KAAK,QAAQ,KAAK,MAAM,sBAAsB;AAAA,MACzD,KAAK,eAAe;AAAA,MACpB,KAAK;AAAA,IACT;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/esm/certificate/kinds/OperationalBase.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { X509Base } from "./X509Base.js";
+import { Unsigned } from "./common.js";
+import { X509Certificate } from "./definitions/base.js";
+/**
+ * Base class for all operational certificates (RCAC, ICAC, NOC)
+ */
+export declare abstract class OperationalBase<CT extends X509Certificate> extends X509Base<CT> {
+    constructor(cert: CT | Unsigned<CT>);
+    /** Validates all basic certificate fields on construction. */
+    protected abstract validateFields(): void;
+    /** Encodes the signed certificate into the Matter TLV format. */
+    abstract asSignedTlv(signature: Uint8Array<ArrayBufferLike>): Uint8Array;
+    /**
+     * Verifies general requirements a Matter certificate fields must fulfill.
+     * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+     */
+    generalVerify(): void;
+}
+//# sourceMappingURL=OperationalBase.d.ts.map

package/dist/esm/certificate/kinds/OperationalBase.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OperationalBase.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/OperationalBase.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAoB,QAAQ,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAIxD;;GAEG;AACH,8BAAsB,eAAe,CAAC,EAAE,SAAS,eAAe,CAAE,SAAQ,QAAQ,CAAC,EAAE,CAAC;gBACtE,IAAI,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IAKnC,8DAA8D;IAC9D,SAAS,CAAC,QAAQ,CAAC,cAAc,IAAI,IAAI;IAEzC,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,eAAe,CAAC,GAAG,UAAU;IAExE;;;OAGG;IACH,aAAa;CAuChB"}

package/dist/esm/certificate/kinds/OperationalBase.js ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Logger, Time } from "#general";
+import { X509Base } from "./X509Base.js";
+import { CertificateError } from "./common.js";
+const logger = Logger.get("OperationalBaseCertificate");
+class OperationalBase extends X509Base {
+  constructor(cert) {
+    super(cert);
+    this.validateFields();
+  }
+  /**
+   * Verifies general requirements a Matter certificate fields must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  generalVerify() {
+    const cert = this.cert;
+    if (cert.serialNumber.length > 20)
+      throw new CertificateError(
+        `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`
+      );
+    if (cert.signatureAlgorithm !== 1) {
+      throw new CertificateError(`Unsupported signature algorithm: ${cert.signatureAlgorithm}`);
+    }
+    if (cert.publicKeyAlgorithm !== 1) {
+      throw new CertificateError(`Unsupported public key algorithm: ${cert.publicKeyAlgorithm}`);
+    }
+    if (cert.ellipticCurveIdentifier !== 1) {
+      throw new CertificateError(`Unsupported elliptic curve identifier: ${cert.ellipticCurveIdentifier}`);
+    }
+    if (Object.keys(cert.subject).length > 5) {
+      throw new CertificateError(`Certificate subject must not contain more than 5 RDNs.`);
+    }
+    if (Object.keys(cert.issuer).length > 5) {
+      throw new CertificateError(`Certificate issuer must not contain more than 5 RDNs.`);
+    }
+    if (cert.notBefore * 1e3 > Time.nowMs()) {
+      logger.warn(`Certificate notBefore date is in the future: ${cert.notBefore * 1e3} vs ${Time.nowMs()}`);
+    }
+  }
+}
+export {
+  OperationalBase
+};
+//# sourceMappingURL=OperationalBase.js.map

package/dist/esm/certificate/kinds/OperationalBase.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/OperationalBase.ts"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,QAAQ,YAAY;AAC7B,SAAS,gBAAgB;AACzB,SAAS,wBAAkC;AAG3C,MAAM,SAAS,OAAO,IAAI,4BAA4B;AAK/C,MAAe,wBAAoD,SAAa;AAAA,EACnF,YAAY,MAAyB;AACjC,UAAM,IAAI;AACV,SAAK,eAAe;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,gBAAgB;AACZ,UAAM,OAAO,KAAK;AAClB,QAAI,KAAK,aAAa,SAAS;AAC3B,YAAM,IAAI;AAAA,QACN,8EAA8E,KAAK,aAAa,MAAM;AAAA,MAC1G;AAEJ,QAAI,KAAK,uBAAuB,GAAG;AAE/B,YAAM,IAAI,iBAAiB,oCAAoC,KAAK,kBAAkB,EAAE;AAAA,IAC5F;AAEA,QAAI,KAAK,uBAAuB,GAAG;AAE/B,YAAM,IAAI,iBAAiB,qCAAqC,KAAK,kBAAkB,EAAE;AAAA,IAC7F;AAEA,QAAI,KAAK,4BAA4B,GAAG;AAEpC,YAAM,IAAI,iBAAiB,0CAA0C,KAAK,uBAAuB,EAAE;AAAA,IACvG;AAGA,QAAI,OAAO,KAAK,KAAK,OAAO,EAAE,SAAS,GAAG;AACtC,YAAM,IAAI,iBAAiB,wDAAwD;AAAA,IACvF;AACA,QAAI,OAAO,KAAK,KAAK,MAAM,EAAE,SAAS,GAAG;AACrC,YAAM,IAAI,iBAAiB,uDAAuD;AAAA,IACtF;AAIA,QAAI,KAAK,YAAY,MAAO,KAAK,MAAM,GAAG;AACtC,aAAO,KAAK,gDAAgD,KAAK,YAAY,GAAI,OAAO,KAAK,MAAM,CAAC,EAAE;AAAA,IAI1G;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/esm/certificate/kinds/Rcac.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Crypto } from "#general";
+import { OperationalCertificate } from "./definitions/operational.js";
+import { OperationalBase } from "./OperationalBase.js";
+export declare class Rcac extends OperationalBase<OperationalCertificate.Rcac> {
+    /** Construct the class from a Tlv version of the certificate */
+    static fromTlv(tlv: Uint8Array): Rcac;
+    /** Validates all basic certificate fields on construction. */
+    protected validateFields(): void;
+    /**
+     * Encodes the certificate with the signature as Matter Tlv.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    asSignedTlv(): Uint8Array<ArrayBufferLike>;
+    /**
+     * Verify requirements a Matter Root certificate must fulfill.
+     * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+     */
+    verify(crypto: Crypto): Promise<void>;
+}
+//# sourceMappingURL=Rcac.d.ts.map

package/dist/esm/certificate/kinds/Rcac.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Rcac.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/Rcac.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAS,MAAM,EAAyB,MAAM,UAAU,CAAC;AAIhE,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,qBAAa,IAAK,SAAQ,eAAe,CAAC,sBAAsB,CAAC,IAAI,CAAC;IAClE,gEAAgE;IAChE,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAIrC,8DAA8D;IAC9D,SAAS,CAAC,cAAc;IAWxB;;;OAGG;IACH,WAAW;IAIX;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE,MAAM;CAkF9B"}

package/dist/esm/certificate/kinds/Rcac.js ADDED Viewed

@@ -0,0 +1,99 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Bytes, Diagnostic, PublicKey } from "#general";
+import { FabricId } from "#types";
+import { CertificateError } from "./common.js";
+import { ExtensionKeyUsageSchema } from "./definitions/base.js";
+import { OperationalCertificate } from "./definitions/operational.js";
+import { OperationalBase } from "./OperationalBase.js";
+class Rcac extends OperationalBase {
+  /** Construct the class from a Tlv version of the certificate */
+  static fromTlv(tlv) {
+    return new Rcac(OperationalCertificate.TlvRcac.decode(tlv));
+  }
+  /** Validates all basic certificate fields on construction. */
+  validateFields() {
+    const {
+      extensions: {
+        basicConstraints: { isCa }
+      }
+    } = this.cert;
+    if (!isCa) {
+      throw new CertificateError("Root certificate must be a CA.");
+    }
+  }
+  /**
+   * Encodes the certificate with the signature as Matter Tlv.
+   * If the certificate is not signed, it throws a CertificateError.
+   */
+  asSignedTlv() {
+    return OperationalCertificate.TlvRcac.encode({ ...this.cert, signature: this.signature });
+  }
+  /**
+   * Verify requirements a Matter Root certificate must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  async verify(crypto) {
+    this.generalVerify();
+    const { subject, extensions } = this.cert;
+    const { fabricId, rcacId } = subject;
+    const { basicConstraints, subjectKeyIdentifier, authorityKeyIdentifier } = extensions;
+    if ("nodeId" in subject) {
+      throw new CertificateError(`Root certificate must not contain a nodeId.`);
+    }
+    if (fabricId !== void 0) {
+      if (Array.isArray(fabricId)) {
+        throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+      }
+      if (fabricId === FabricId(0)) {
+        throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+      }
+    }
+    if ("icacId" in subject) {
+      throw new CertificateError(`Root certificate must not contain an icacId.`);
+    }
+    if (rcacId === void 0 || Array.isArray(rcacId)) {
+      throw new CertificateError(`Invalid rcacId in Root certificate: ${Diagnostic.json(rcacId)}`);
+    }
+    if ("caseAuthenticatedTags" in subject) {
+      throw new CertificateError(`Root certificate must not contain a caseAuthenticatedTags.`);
+    }
+    if (basicConstraints.isCa !== true) {
+      throw new CertificateError(`Root certificate must have isCa set to true.`);
+    }
+    const keyUsage = ExtensionKeyUsageSchema.encode(extensions.keyUsage);
+    if (keyUsage !== 96 && keyUsage !== 97) {
+      throw new CertificateError(
+        `Root certificate keyUsage must have keyCertSign and CRLSign and optionally digitalSignature set.`
+      );
+    }
+    if (extensions.extendedKeyUsage !== void 0) {
+      throw new CertificateError(`Root certificate must not have extendedKeyUsage set.`);
+    }
+    if (subjectKeyIdentifier === void 0) {
+      throw new CertificateError(`Root certificate must have subjectKeyIdentifier set.`);
+    }
+    if (subjectKeyIdentifier.length !== 20) {
+      throw new CertificateError(`Root certificate subjectKeyIdentifier must be 160 bit.`);
+    }
+    if (authorityKeyIdentifier === void 0) {
+      throw new CertificateError(`Root certificate must have authorityKeyIdentifier set.`);
+    }
+    if (authorityKeyIdentifier.length !== 20) {
+      throw new CertificateError(`Root certificate authorityKeyIdentifier must be 160 bit.`);
+    }
+    if (!Bytes.areEqual(authorityKeyIdentifier, subjectKeyIdentifier)) {
+      throw new CertificateError(
+        `Root certificate authorityKeyIdentifier must be equal to subjectKeyIdentifier.`
+      );
+    }
+    await crypto.verifyEcdsa(PublicKey(this.cert.ellipticCurvePublicKey), this.asUnsignedAsn1(), this.signature);
+  }
+}
+export {
+  Rcac
+};
+//# sourceMappingURL=Rcac.js.map

package/dist/esm/certificate/kinds/Rcac.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/Rcac.ts"],
+  "mappings": "AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,SAAS,OAAe,YAAY,iBAAiB;AACrD,SAAS,gBAAgB;AACzB,SAAS,wBAAwB;AACjC,SAAS,+BAA+B;AACxC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAEzB,MAAM,aAAa,gBAA6C;AAAA;AAAA,EAEnE,OAAO,QAAQ,KAAuB;AAClC,WAAO,IAAI,KAAK,uBAAuB,QAAQ,OAAO,GAAG,CAAC;AAAA,EAC9D;AAAA;AAAA,EAGU,iBAAiB;AACvB,UAAM;AAAA,MACF,YAAY;AAAA,QACR,kBAAkB,EAAE,KAAK;AAAA,MAC7B;AAAA,IACJ,IAAI,KAAK;AACT,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,iBAAiB,gCAAgC;AAAA,IAC/D;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc;AACV,WAAO,uBAAuB,QAAQ,OAAO,EAAE,GAAG,KAAK,MAAM,WAAW,KAAK,UAAU,CAAC;AAAA,EAC5F;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,QAAgB;AACzB,SAAK,cAAc;AAEnB,UAAM,EAAE,SAAS,WAAW,IAAI,KAAK;AACrC,UAAM,EAAE,UAAU,OAAO,IAAI;AAC7B,UAAM,EAAE,kBAAkB,sBAAsB,uBAAuB,IAAI;AAG3E,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,iBAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,aAAa,QAAW;AACxB,UAAI,MAAM,QAAQ,QAAQ,GAAG;AACzB,cAAM,IAAI,iBAAiB,wCAAwC,WAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,MAClG;AAEA,UAAI,aAAa,SAAS,CAAC,GAAG;AAC1B,cAAM,IAAI,iBAAiB,wCAAwC,WAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,MAClG;AAAA,IACJ;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,iBAAiB,8CAA8C;AAAA,IAC7E;AAGA,QAAI,WAAW,UAAa,MAAM,QAAQ,MAAM,GAAG;AAC/C,YAAM,IAAI,iBAAiB,uCAAuC,WAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC/F;AAGA,QAAI,2BAA2B,SAAS;AACpC,YAAM,IAAI,iBAAiB,4DAA4D;AAAA,IAC3F;AAGA,QAAI,iBAAiB,SAAS,MAAM;AAChC,YAAM,IAAI,iBAAiB,8CAA8C;AAAA,IAC7E;AAIA,UAAM,WAAW,wBAAwB,OAAO,WAAW,QAAQ;AACnE,QAAI,aAAa,MAAU,aAAa,IAAQ;AAC5C,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAGA,QAAI,WAAW,qBAAqB,QAAW;AAC3C,YAAM,IAAI,iBAAiB,sDAAsD;AAAA,IACrF;AAGA,QAAI,yBAAyB,QAAW;AACpC,YAAM,IAAI,iBAAiB,sDAAsD;AAAA,IACrF;AACA,QAAI,qBAAqB,WAAW,IAAI;AACpC,YAAM,IAAI,iBAAiB,wDAAwD;AAAA,IACvF;AAGA,QAAI,2BAA2B,QAAW;AACtC,YAAM,IAAI,iBAAiB,wDAAwD;AAAA,IACvF;AACA,QAAI,uBAAuB,WAAW,IAAI;AACtC,YAAM,IAAI,iBAAiB,0DAA0D;AAAA,IACzF;AAGA,QAAI,CAAC,MAAM,SAAS,wBAAwB,oBAAoB,GAAG;AAC/D,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,OAAO,YAAY,UAAU,KAAK,KAAK,sBAAsB,GAAG,KAAK,eAAe,GAAG,KAAK,SAAS;AAAA,EAC/G;AACJ;",
+  "names": []
+}

package/dist/esm/certificate/kinds/X509Base.d.ts ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Crypto, DerType, Key } from "#general";
+import { Unsigned } from "./common.js";
+import { X509Certificate } from "./definitions/base.js";
+/**
+ * Abstract definition of a X.509 certificate that can be signed and converted to ASN.1 DER format.
+ * It also provides two static methods to create a certificate signing request (CSR) and to extract the public key
+ * from a CSR.
+ */
+export declare abstract class X509Base<CT extends X509Certificate> {
+    #private;
+    constructor(cert: CT | Unsigned<CT>);
+    get cert(): Unsigned<CT>;
+    get isSigned(): boolean;
+    /**
+     * Get the signature of the certificate.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    get signature(): Uint8Array;
+    /**
+     * Set the signature of the certificate.
+     * If the certificate is already signed, it throws a CertificateError.
+     */
+    set signature(signature: Uint8Array);
+    /**
+     * Sign the certificate using the provided crypto and key.
+     * It throws a CertificateError if the certificate is already signed.
+     */
+    sign(crypto: Crypto, key: JsonWebKey): Promise<void>;
+    /**
+     * Convert the certificate to ASN.1 DER format without signature.
+     */
+    asUnsignedAsn1(): Uint8Array<ArrayBufferLike>;
+    /**
+     * Build the ASN.1 DER structure for the certificate.
+     */
+    protected genericBuildAsn1Structure({ serialNumber, notBefore, notAfter, issuer, subject, ellipticCurvePublicKey, extensions, }: Unsigned<CT>): {
+        version: {
+            _tag: number;
+            _bytes: Uint8Array<ArrayBuffer>;
+        };
+        serialNumber: {
+            _type: DerType;
+            _raw: any;
+        };
+        signatureAlgorithm: any;
+        issuer: {
+            [field: string]: any[];
+        };
+        validity: {
+            notBefore: Date;
+            notAfter: Date;
+        };
+        subject: {
+            [field: string]: any[];
+        };
+        publicKey: {
+            type: {
+                algorithm: {
+                    _tag: number;
+                    _bytes: Uint8Array<ArrayBuffer>;
+                };
+                curve: {
+                    _tag: number;
+                    _bytes: Uint8Array<ArrayBuffer>;
+                };
+            };
+            bytes: {
+                _tag: number;
+                _bytes: Uint8Array<ArrayBufferLike>;
+                _padding: number;
+            };
+        };
+        extensions: {
+            _tag: number;
+            _bytes: Uint8Array<ArrayBuffer>;
+        };
+    };
+    /**
+     * Create a Certificate Signing Request (CSR) in ASN.1 DER format.
+     */
+    static createCertificateSigningRequest(crypto: Crypto, key: Key): Promise<Uint8Array<ArrayBufferLike>>;
+    /**
+     * Extract the public key from a Certificate Signing Request (CSR) in ASN.1 DER format.
+     */
+    static getPublicKeyFromCsr(crypto: Crypto, csr: Uint8Array): Promise<Uint8Array<ArrayBufferLike>>;
+}
+//# sourceMappingURL=X509Base.d.ts.map

package/dist/esm/certificate/kinds/X509Base.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"X509Base.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/X509Base.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAGH,MAAM,EAKN,OAAO,EACP,GAAG,EAMN,MAAM,UAAU,CAAC;AAElB,OAAO,EAA8C,QAAQ,EAAE,MAAM,aAAa,CAAC;AAYnF,OAAO,EAAoD,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG1G;;;;GAIG;AACH,8BAAsB,QAAQ,CAAC,EAAE,SAAS,eAAe;;gBAIzC,IAAI,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IAOnC,IAAI,IAAI,IAAI,QAAQ,CAAC,EAAE,CAAC,CAEvB;IAED,IAAI,QAAQ,YAEX;IAED;;;OAGG;IACH,IAAI,SAAS,IAWY,UAAU,CANlC;IAED;;;OAGG;IACH,IAAI,SAAS,CAAC,SAAS,EAAE,UAAU,EAKlC;IAED;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU;IAI1C;;OAEG;IACH,cAAc,IAAI,UAAU,CAAC,eAAe,CAAC;IAiM7C;;OAEG;IACH,SAAS,CAAC,yBAAyB,CAAC,EAChC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,EACN,OAAO,EACP,sBAAsB,EACtB,UAAU,GACb,EAAE,QAAQ,CAAC,EAAE,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAsBf;;OAEG;WACU,+BAA+B,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG;IAerE;;OAEG;WACU,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU;CAqCnE"}