npm - @matter/protocol - Versions diffs - 0.15.0-alpha.0-20250617-f4d4cad23 → 0.15.0-alpha.0-20250620-16e218ed3 - Mend

@matter/protocol 0.15.0-alpha.0-20250617-f4d4cad23 → 0.15.0-alpha.0-20250620-16e218ed3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/dist/cjs/certificate/kinds/Noc.js ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var Noc_exports = {};
+__export(Noc_exports, {
+  Noc: () => Noc
+});
+module.exports = __toCommonJS(Noc_exports);
+var import_general = require("#general");
+var import_types = require("#types");
+var import_common = require("./common.js");
+var import_operational = require("./definitions/operational.js");
+var import_OperationalBase = require("./OperationalBase.js");
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class Noc extends import_OperationalBase.OperationalBase {
+  /** Construct the class from a Tlv version of the certificate */
+  static fromTlv(tlv) {
+    return new Noc(import_operational.OperationalCertificate.TlvNoc.decode(tlv));
+  }
+  /** Validates all basic certificate fields on construction. */
+  validateFields() {
+    const {
+      issuer: { icacId, rcacId },
+      extensions: {
+        basicConstraints: { isCa }
+      }
+    } = this.cert;
+    if (icacId === void 0 && rcacId === void 0) {
+      throw new import_common.CertificateError("Issuer RCAC or ICAC ID must be defined for an operational certificate.");
+    }
+    if (isCa) {
+      throw new import_common.CertificateError("Node operational certificate must not be a CA.");
+    }
+  }
+  /**
+   * Encodes the certificate with the signature as Matter Tlv.
+   * If the certificate is not signed, it throws a CertificateError.
+   */
+  asSignedTlv() {
+    return import_operational.OperationalCertificate.TlvNoc.encode({ ...this.cert, signature: this.signature });
+  }
+  /**
+   * Verify requirements a Matter Node Operational certificate must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  async verify(crypto, root, ica) {
+    this.generalVerify();
+    const {
+      subject,
+      extensions: { extendedKeyUsage, subjectKeyIdentifier, authorityKeyIdentifier }
+    } = this.cert;
+    const { nodeId, fabricId, caseAuthenticatedTags } = subject;
+    const {
+      subject: { fabricId: rootFabricId }
+    } = root.cert;
+    const {
+      subject: { fabricId: icaFabricId }
+    } = ica?.cert ?? { subject: {} };
+    if (nodeId === void 0 || Array.isArray(nodeId)) {
+      throw new import_common.CertificateError(`Invalid nodeId in NoC certificate: ${import_general.Diagnostic.json(nodeId)}`);
+    }
+    if (!import_types.NodeId.isOperationalNodeId(nodeId)) {
+      throw new import_common.CertificateError(`Invalid nodeId in NoC certificate: ${import_general.Diagnostic.json(nodeId)}`);
+    }
+    if (fabricId === void 0 || Array.isArray(fabricId)) {
+      throw new import_common.CertificateError(`Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(fabricId)}`);
+    }
+    if (fabricId === (0, import_types.FabricId)(0)) {
+      throw new import_common.CertificateError(`Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(fabricId)}`);
+    }
+    if ("icacId" in subject) {
+      throw new import_common.CertificateError(`Noc certificate must not contain an icacId.`);
+    }
+    if ("rcacId" in subject) {
+      throw new import_common.CertificateError(`Noc certificate must not contain an rcacId.`);
+    }
+    if (caseAuthenticatedTags !== void 0) {
+      import_types.CaseAuthenticatedTag.validateNocTagList(caseAuthenticatedTags);
+    }
+    if (rootFabricId !== void 0 && rootFabricId !== fabricId) {
+      throw new import_common.CertificateError(
+        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${import_general.Diagnostic.json(
+          rootFabricId
+        )} !== ${import_general.Diagnostic.json(fabricId)}`
+      );
+    }
+    if (icaFabricId !== void 0 && icaFabricId !== fabricId) {
+      throw new import_common.CertificateError(
+        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${import_general.Diagnostic.json(
+          icaFabricId
+        )} !== ${import_general.Diagnostic.json(fabricId)}`
+      );
+    }
+    if (this.cert.extensions.basicConstraints.isCa) {
+      throw new import_common.CertificateError(`Noc certificate must not have isCa set to true.`);
+    }
+    if (!this.cert.extensions.keyUsage.digitalSignature) {
+      throw new import_common.CertificateError(`Noc certificate must have keyUsage set to digitalSignature.`);
+    }
+    if (extendedKeyUsage === void 0 || !extendedKeyUsage.includes(1) && !extendedKeyUsage.includes(2)) {
+      throw new import_common.CertificateError(
+        `Noc certificate must have extendedKeyUsage with serverAuth and clientAuth: ${import_general.Diagnostic.json(extendedKeyUsage)}`
+      );
+    }
+    if (subjectKeyIdentifier === void 0) {
+      throw new import_common.CertificateError(`Noc certificate must have subjectKeyIdentifier set.`);
+    }
+    if (subjectKeyIdentifier.length !== 20) {
+      throw new import_common.CertificateError(`Noc certificate subjectKeyIdentifier must be 160 bit.`);
+    }
+    if (authorityKeyIdentifier === void 0) {
+      throw new import_common.CertificateError(`Noc certificate must have authorityKeyIdentifier set.`);
+    }
+    if (authorityKeyIdentifier.length !== 20) {
+      throw new import_common.CertificateError(`Noc certificate authorityKeyIdentifier must be 160 bit.`);
+    }
+    if (!import_general.Bytes.areEqual(authorityKeyIdentifier, (ica?.cert ?? root.cert).extensions.subjectKeyIdentifier)) {
+      throw new import_common.CertificateError(
+        `Noc certificate authorityKeyIdentifier must be equal to Root/Ica subjectKeyIdentifier.`
+      );
+    }
+    await crypto.verifyEcdsa(
+      (0, import_general.PublicKey)((ica?.cert ?? root.cert).ellipticCurvePublicKey),
+      this.asUnsignedAsn1(),
+      this.signature
+    );
+  }
+}
+//# sourceMappingURL=Noc.js.map

package/dist/cjs/certificate/kinds/Noc.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/Noc.ts"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,qBAAqD;AACrD,mBAAuD;AACvD,oBAAiC;AACjC,yBAAuC;AAEvC,6BAAgC;AAXhC;AAAA;AAAA;AAAA;AAAA;AAcO,MAAM,YAAY,uCAA4C;AAAA;AAAA,EAEjE,OAAO,QAAQ,KAAiB;AAC5B,WAAO,IAAI,IAAI,0CAAuB,OAAO,OAAO,GAAG,CAAC;AAAA,EAC5D;AAAA;AAAA,EAGU,iBAAiB;AACvB,UAAM;AAAA,MACF,QAAQ,EAAE,QAAQ,OAAO;AAAA,MACzB,YAAY;AAAA,QACR,kBAAkB,EAAE,KAAK;AAAA,MAC7B;AAAA,IACJ,IAAI,KAAK;AACT,QAAI,WAAW,UAAa,WAAW,QAAW;AAC9C,YAAM,IAAI,+BAAiB,wEAAwE;AAAA,IACvG;AACA,QAAI,MAAM;AACN,YAAM,IAAI,+BAAiB,gDAAgD;AAAA,IAC/E;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc;AACV,WAAO,0CAAuB,OAAO,OAAO,EAAE,GAAG,KAAK,MAAM,WAAW,KAAK,UAAU,CAAC;AAAA,EAC3F;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,QAAgB,MAAY,KAAY;AACjD,SAAK,cAAc;AAEnB,UAAM;AAAA,MACF;AAAA,MACA,YAAY,EAAE,kBAAkB,sBAAsB,uBAAuB;AAAA,IACjF,IAAI,KAAK;AACT,UAAM,EAAE,QAAQ,UAAU,sBAAsB,IAAI;AACpD,UAAM;AAAA,MACF,SAAS,EAAE,UAAU,aAAa;AAAA,IACtC,IAAI,KAAK;AACT,UAAM;AAAA,MACF,SAAS,EAAE,UAAU,YAAY;AAAA,IACrC,IAAI,KAAK,QAAQ,EAAE,SAAS,CAAC,EAAE;AAG/B,QAAI,WAAW,UAAa,MAAM,QAAQ,MAAM,GAAG;AAC/C,YAAM,IAAI,+BAAiB,sCAAsC,0BAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC9F;AAEA,QAAI,CAAC,oBAAO,oBAAoB,MAAM,GAAG;AACrC,YAAM,IAAI,+BAAiB,sCAAsC,0BAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC9F;AAGA,QAAI,aAAa,UAAa,MAAM,QAAQ,QAAQ,GAAG;AACnD,YAAM,IAAI,+BAAiB,wCAAwC,0BAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,IAClG;AAEA,QAAI,iBAAa,uBAAS,CAAC,GAAG;AAC1B,YAAM,IAAI,+BAAiB,wCAAwC,0BAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,IAClG;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,+BAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,+BAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,0BAA0B,QAAW;AACrC,wCAAqB,mBAAmB,qBAAqB;AAAA,IACjE;AAKA,QAAI,iBAAiB,UAAa,iBAAiB,UAAU;AACzD,YAAM,IAAI;AAAA,QACN,sFAAsF,0BAAW;AAAA,UAC7F;AAAA,QACJ,CAAC,QAAQ,0BAAW,KAAK,QAAQ,CAAC;AAAA,MACtC;AAAA,IACJ;AACA,QAAI,gBAAgB,UAAa,gBAAgB,UAAU;AACvD,YAAM,IAAI;AAAA,QACN,sFAAsF,0BAAW;AAAA,UAC7F;AAAA,QACJ,CAAC,QAAQ,0BAAW,KAAK,QAAQ,CAAC;AAAA,MACtC;AAAA,IACJ;AAGA,QAAI,KAAK,KAAK,WAAW,iBAAiB,MAAM;AAC5C,YAAM,IAAI,+BAAiB,iDAAiD;AAAA,IAChF;AAMA,QAAI,CAAC,KAAK,KAAK,WAAW,SAAS,kBAAkB;AACjD,YAAM,IAAI,+BAAiB,6DAA6D;AAAA,IAC5F;AAGA,QAAI,qBAAqB,UAAc,CAAC,iBAAiB,SAAS,CAAC,KAAK,CAAC,iBAAiB,SAAS,CAAC,GAAI;AACpG,YAAM,IAAI;AAAA,QACN,8EAA8E,0BAAW,KAAK,gBAAgB,CAAC;AAAA,MACnH;AAAA,IACJ;AAGA,QAAI,yBAAyB,QAAW;AACpC,YAAM,IAAI,+BAAiB,qDAAqD;AAAA,IACpF;AACA,QAAI,qBAAqB,WAAW,IAAI;AACpC,YAAM,IAAI,+BAAiB,uDAAuD;AAAA,IACtF;AAGA,QAAI,2BAA2B,QAAW;AACtC,YAAM,IAAI,+BAAiB,uDAAuD;AAAA,IACtF;AACA,QAAI,uBAAuB,WAAW,IAAI;AACtC,YAAM,IAAI,+BAAiB,yDAAyD;AAAA,IACxF;AAGA,QAAI,CAAC,qBAAM,SAAS,yBAAyB,KAAK,QAAQ,KAAK,MAAM,WAAW,oBAAoB,GAAG;AACnG,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,OAAO;AAAA,UACT,2BAAW,KAAK,QAAQ,KAAK,MAAM,sBAAsB;AAAA,MACzD,KAAK,eAAe;AAAA,MACpB,KAAK;AAAA,IACT;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/cjs/certificate/kinds/OperationalBase.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { X509Base } from "./X509Base.js";
+import { Unsigned } from "./common.js";
+import { X509Certificate } from "./definitions/base.js";
+/**
+ * Base class for all operational certificates (RCAC, ICAC, NOC)
+ */
+export declare abstract class OperationalBase<CT extends X509Certificate> extends X509Base<CT> {
+    constructor(cert: CT | Unsigned<CT>);
+    /** Validates all basic certificate fields on construction. */
+    protected abstract validateFields(): void;
+    /** Encodes the signed certificate into the Matter TLV format. */
+    abstract asSignedTlv(signature: Uint8Array<ArrayBufferLike>): Uint8Array;
+    /**
+     * Verifies general requirements a Matter certificate fields must fulfill.
+     * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+     */
+    generalVerify(): void;
+}
+//# sourceMappingURL=OperationalBase.d.ts.map

package/dist/cjs/certificate/kinds/OperationalBase.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OperationalBase.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/OperationalBase.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAoB,QAAQ,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAIxD;;GAEG;AACH,8BAAsB,eAAe,CAAC,EAAE,SAAS,eAAe,CAAE,SAAQ,QAAQ,CAAC,EAAE,CAAC;gBACtE,IAAI,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IAKnC,8DAA8D;IAC9D,SAAS,CAAC,QAAQ,CAAC,cAAc,IAAI,IAAI;IAEzC,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,eAAe,CAAC,GAAG,UAAU;IAExE;;;OAGG;IACH,aAAa;CAuChB"}

package/dist/cjs/certificate/kinds/OperationalBase.js ADDED Viewed

@@ -0,0 +1,68 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var OperationalBase_exports = {};
+__export(OperationalBase_exports, {
+  OperationalBase: () => OperationalBase
+});
+module.exports = __toCommonJS(OperationalBase_exports);
+var import_general = require("#general");
+var import_X509Base = require("./X509Base.js");
+var import_common = require("./common.js");
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+const logger = import_general.Logger.get("OperationalBaseCertificate");
+class OperationalBase extends import_X509Base.X509Base {
+  constructor(cert) {
+    super(cert);
+    this.validateFields();
+  }
+  /**
+   * Verifies general requirements a Matter certificate fields must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  generalVerify() {
+    const cert = this.cert;
+    if (cert.serialNumber.length > 20)
+      throw new import_common.CertificateError(
+        `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`
+      );
+    if (cert.signatureAlgorithm !== 1) {
+      throw new import_common.CertificateError(`Unsupported signature algorithm: ${cert.signatureAlgorithm}`);
+    }
+    if (cert.publicKeyAlgorithm !== 1) {
+      throw new import_common.CertificateError(`Unsupported public key algorithm: ${cert.publicKeyAlgorithm}`);
+    }
+    if (cert.ellipticCurveIdentifier !== 1) {
+      throw new import_common.CertificateError(`Unsupported elliptic curve identifier: ${cert.ellipticCurveIdentifier}`);
+    }
+    if (Object.keys(cert.subject).length > 5) {
+      throw new import_common.CertificateError(`Certificate subject must not contain more than 5 RDNs.`);
+    }
+    if (Object.keys(cert.issuer).length > 5) {
+      throw new import_common.CertificateError(`Certificate issuer must not contain more than 5 RDNs.`);
+    }
+    if (cert.notBefore * 1e3 > import_general.Time.nowMs()) {
+      logger.warn(`Certificate notBefore date is in the future: ${cert.notBefore * 1e3} vs ${import_general.Time.nowMs()}`);
+    }
+  }
+}
+//# sourceMappingURL=OperationalBase.js.map

package/dist/cjs/certificate/kinds/OperationalBase.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/OperationalBase.ts"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,qBAA6B;AAC7B,sBAAyB;AACzB,oBAA2C;AAR3C;AAAA;AAAA;AAAA;AAAA;AAWA,MAAM,SAAS,sBAAO,IAAI,4BAA4B;AAK/C,MAAe,wBAAoD,yBAAa;AAAA,EACnF,YAAY,MAAyB;AACjC,UAAM,IAAI;AACV,SAAK,eAAe;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,gBAAgB;AACZ,UAAM,OAAO,KAAK;AAClB,QAAI,KAAK,aAAa,SAAS;AAC3B,YAAM,IAAI;AAAA,QACN,8EAA8E,KAAK,aAAa,MAAM;AAAA,MAC1G;AAEJ,QAAI,KAAK,uBAAuB,GAAG;AAE/B,YAAM,IAAI,+BAAiB,oCAAoC,KAAK,kBAAkB,EAAE;AAAA,IAC5F;AAEA,QAAI,KAAK,uBAAuB,GAAG;AAE/B,YAAM,IAAI,+BAAiB,qCAAqC,KAAK,kBAAkB,EAAE;AAAA,IAC7F;AAEA,QAAI,KAAK,4BAA4B,GAAG;AAEpC,YAAM,IAAI,+BAAiB,0CAA0C,KAAK,uBAAuB,EAAE;AAAA,IACvG;AAGA,QAAI,OAAO,KAAK,KAAK,OAAO,EAAE,SAAS,GAAG;AACtC,YAAM,IAAI,+BAAiB,wDAAwD;AAAA,IACvF;AACA,QAAI,OAAO,KAAK,KAAK,MAAM,EAAE,SAAS,GAAG;AACrC,YAAM,IAAI,+BAAiB,uDAAuD;AAAA,IACtF;AAIA,QAAI,KAAK,YAAY,MAAO,oBAAK,MAAM,GAAG;AACtC,aAAO,KAAK,gDAAgD,KAAK,YAAY,GAAI,OAAO,oBAAK,MAAM,CAAC,EAAE;AAAA,IAI1G;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/cjs/certificate/kinds/Rcac.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Crypto } from "#general";
+import { OperationalCertificate } from "./definitions/operational.js";
+import { OperationalBase } from "./OperationalBase.js";
+export declare class Rcac extends OperationalBase<OperationalCertificate.Rcac> {
+    /** Construct the class from a Tlv version of the certificate */
+    static fromTlv(tlv: Uint8Array): Rcac;
+    /** Validates all basic certificate fields on construction. */
+    protected validateFields(): void;
+    /**
+     * Encodes the certificate with the signature as Matter Tlv.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    asSignedTlv(): Uint8Array<ArrayBufferLike>;
+    /**
+     * Verify requirements a Matter Root certificate must fulfill.
+     * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+     */
+    verify(crypto: Crypto): Promise<void>;
+}
+//# sourceMappingURL=Rcac.d.ts.map

package/dist/cjs/certificate/kinds/Rcac.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"Rcac.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/Rcac.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAS,MAAM,EAAyB,MAAM,UAAU,CAAC;AAIhE,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,qBAAa,IAAK,SAAQ,eAAe,CAAC,sBAAsB,CAAC,IAAI,CAAC;IAClE,gEAAgE;IAChE,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAIrC,8DAA8D;IAC9D,SAAS,CAAC,cAAc;IAWxB;;;OAGG;IACH,WAAW;IAIX;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE,MAAM;CAkF9B"}

package/dist/cjs/certificate/kinds/Rcac.js ADDED Viewed

@@ -0,0 +1,119 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var Rcac_exports = {};
+__export(Rcac_exports, {
+  Rcac: () => Rcac
+});
+module.exports = __toCommonJS(Rcac_exports);
+var import_general = require("#general");
+var import_types = require("#types");
+var import_common = require("./common.js");
+var import_base = require("./definitions/base.js");
+var import_operational = require("./definitions/operational.js");
+var import_OperationalBase = require("./OperationalBase.js");
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class Rcac extends import_OperationalBase.OperationalBase {
+  /** Construct the class from a Tlv version of the certificate */
+  static fromTlv(tlv) {
+    return new Rcac(import_operational.OperationalCertificate.TlvRcac.decode(tlv));
+  }
+  /** Validates all basic certificate fields on construction. */
+  validateFields() {
+    const {
+      extensions: {
+        basicConstraints: { isCa }
+      }
+    } = this.cert;
+    if (!isCa) {
+      throw new import_common.CertificateError("Root certificate must be a CA.");
+    }
+  }
+  /**
+   * Encodes the certificate with the signature as Matter Tlv.
+   * If the certificate is not signed, it throws a CertificateError.
+   */
+  asSignedTlv() {
+    return import_operational.OperationalCertificate.TlvRcac.encode({ ...this.cert, signature: this.signature });
+  }
+  /**
+   * Verify requirements a Matter Root certificate must fulfill.
+   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+   */
+  async verify(crypto) {
+    this.generalVerify();
+    const { subject, extensions } = this.cert;
+    const { fabricId, rcacId } = subject;
+    const { basicConstraints, subjectKeyIdentifier, authorityKeyIdentifier } = extensions;
+    if ("nodeId" in subject) {
+      throw new import_common.CertificateError(`Root certificate must not contain a nodeId.`);
+    }
+    if (fabricId !== void 0) {
+      if (Array.isArray(fabricId)) {
+        throw new import_common.CertificateError(`Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(fabricId)}`);
+      }
+      if (fabricId === (0, import_types.FabricId)(0)) {
+        throw new import_common.CertificateError(`Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(fabricId)}`);
+      }
+    }
+    if ("icacId" in subject) {
+      throw new import_common.CertificateError(`Root certificate must not contain an icacId.`);
+    }
+    if (rcacId === void 0 || Array.isArray(rcacId)) {
+      throw new import_common.CertificateError(`Invalid rcacId in Root certificate: ${import_general.Diagnostic.json(rcacId)}`);
+    }
+    if ("caseAuthenticatedTags" in subject) {
+      throw new import_common.CertificateError(`Root certificate must not contain a caseAuthenticatedTags.`);
+    }
+    if (basicConstraints.isCa !== true) {
+      throw new import_common.CertificateError(`Root certificate must have isCa set to true.`);
+    }
+    const keyUsage = import_base.ExtensionKeyUsageSchema.encode(extensions.keyUsage);
+    if (keyUsage !== 96 && keyUsage !== 97) {
+      throw new import_common.CertificateError(
+        `Root certificate keyUsage must have keyCertSign and CRLSign and optionally digitalSignature set.`
+      );
+    }
+    if (extensions.extendedKeyUsage !== void 0) {
+      throw new import_common.CertificateError(`Root certificate must not have extendedKeyUsage set.`);
+    }
+    if (subjectKeyIdentifier === void 0) {
+      throw new import_common.CertificateError(`Root certificate must have subjectKeyIdentifier set.`);
+    }
+    if (subjectKeyIdentifier.length !== 20) {
+      throw new import_common.CertificateError(`Root certificate subjectKeyIdentifier must be 160 bit.`);
+    }
+    if (authorityKeyIdentifier === void 0) {
+      throw new import_common.CertificateError(`Root certificate must have authorityKeyIdentifier set.`);
+    }
+    if (authorityKeyIdentifier.length !== 20) {
+      throw new import_common.CertificateError(`Root certificate authorityKeyIdentifier must be 160 bit.`);
+    }
+    if (!import_general.Bytes.areEqual(authorityKeyIdentifier, subjectKeyIdentifier)) {
+      throw new import_common.CertificateError(
+        `Root certificate authorityKeyIdentifier must be equal to subjectKeyIdentifier.`
+      );
+    }
+    await crypto.verifyEcdsa((0, import_general.PublicKey)(this.cert.ellipticCurvePublicKey), this.asUnsignedAsn1(), this.signature);
+  }
+}
+//# sourceMappingURL=Rcac.js.map

package/dist/cjs/certificate/kinds/Rcac.js.map ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/certificate/kinds/Rcac.ts"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAMA,qBAAqD;AACrD,mBAAyB;AACzB,oBAAiC;AACjC,kBAAwC;AACxC,yBAAuC;AACvC,6BAAgC;AAXhC;AAAA;AAAA;AAAA;AAAA;AAaO,MAAM,aAAa,uCAA6C;AAAA;AAAA,EAEnE,OAAO,QAAQ,KAAuB;AAClC,WAAO,IAAI,KAAK,0CAAuB,QAAQ,OAAO,GAAG,CAAC;AAAA,EAC9D;AAAA;AAAA,EAGU,iBAAiB;AACvB,UAAM;AAAA,MACF,YAAY;AAAA,QACR,kBAAkB,EAAE,KAAK;AAAA,MAC7B;AAAA,IACJ,IAAI,KAAK;AACT,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,+BAAiB,gCAAgC;AAAA,IAC/D;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc;AACV,WAAO,0CAAuB,QAAQ,OAAO,EAAE,GAAG,KAAK,MAAM,WAAW,KAAK,UAAU,CAAC;AAAA,EAC5F;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,QAAgB;AACzB,SAAK,cAAc;AAEnB,UAAM,EAAE,SAAS,WAAW,IAAI,KAAK;AACrC,UAAM,EAAE,UAAU,OAAO,IAAI;AAC7B,UAAM,EAAE,kBAAkB,sBAAsB,uBAAuB,IAAI;AAG3E,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,+BAAiB,6CAA6C;AAAA,IAC5E;AAGA,QAAI,aAAa,QAAW;AACxB,UAAI,MAAM,QAAQ,QAAQ,GAAG;AACzB,cAAM,IAAI,+BAAiB,wCAAwC,0BAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,MAClG;AAEA,UAAI,iBAAa,uBAAS,CAAC,GAAG;AAC1B,cAAM,IAAI,+BAAiB,wCAAwC,0BAAW,KAAK,QAAQ,CAAC,EAAE;AAAA,MAClG;AAAA,IACJ;AAGA,QAAI,YAAY,SAAS;AACrB,YAAM,IAAI,+BAAiB,8CAA8C;AAAA,IAC7E;AAGA,QAAI,WAAW,UAAa,MAAM,QAAQ,MAAM,GAAG;AAC/C,YAAM,IAAI,+BAAiB,uCAAuC,0BAAW,KAAK,MAAM,CAAC,EAAE;AAAA,IAC/F;AAGA,QAAI,2BAA2B,SAAS;AACpC,YAAM,IAAI,+BAAiB,4DAA4D;AAAA,IAC3F;AAGA,QAAI,iBAAiB,SAAS,MAAM;AAChC,YAAM,IAAI,+BAAiB,8CAA8C;AAAA,IAC7E;AAIA,UAAM,WAAW,oCAAwB,OAAO,WAAW,QAAQ;AACnE,QAAI,aAAa,MAAU,aAAa,IAAQ;AAC5C,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAGA,QAAI,WAAW,qBAAqB,QAAW;AAC3C,YAAM,IAAI,+BAAiB,sDAAsD;AAAA,IACrF;AAGA,QAAI,yBAAyB,QAAW;AACpC,YAAM,IAAI,+BAAiB,sDAAsD;AAAA,IACrF;AACA,QAAI,qBAAqB,WAAW,IAAI;AACpC,YAAM,IAAI,+BAAiB,wDAAwD;AAAA,IACvF;AAGA,QAAI,2BAA2B,QAAW;AACtC,YAAM,IAAI,+BAAiB,wDAAwD;AAAA,IACvF;AACA,QAAI,uBAAuB,WAAW,IAAI;AACtC,YAAM,IAAI,+BAAiB,0DAA0D;AAAA,IACzF;AAGA,QAAI,CAAC,qBAAM,SAAS,wBAAwB,oBAAoB,GAAG;AAC/D,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,OAAO,gBAAY,0BAAU,KAAK,KAAK,sBAAsB,GAAG,KAAK,eAAe,GAAG,KAAK,SAAS;AAAA,EAC/G;AACJ;",
+  "names": []
+}

package/dist/cjs/certificate/kinds/X509Base.d.ts ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Crypto, DerType, Key } from "#general";
+import { Unsigned } from "./common.js";
+import { X509Certificate } from "./definitions/base.js";
+/**
+ * Abstract definition of a X.509 certificate that can be signed and converted to ASN.1 DER format.
+ * It also provides two static methods to create a certificate signing request (CSR) and to extract the public key
+ * from a CSR.
+ */
+export declare abstract class X509Base<CT extends X509Certificate> {
+    #private;
+    constructor(cert: CT | Unsigned<CT>);
+    get cert(): Unsigned<CT>;
+    get isSigned(): boolean;
+    /**
+     * Get the signature of the certificate.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    get signature(): Uint8Array;
+    /**
+     * Set the signature of the certificate.
+     * If the certificate is already signed, it throws a CertificateError.
+     */
+    set signature(signature: Uint8Array);
+    /**
+     * Sign the certificate using the provided crypto and key.
+     * It throws a CertificateError if the certificate is already signed.
+     */
+    sign(crypto: Crypto, key: JsonWebKey): Promise<void>;
+    /**
+     * Convert the certificate to ASN.1 DER format without signature.
+     */
+    asUnsignedAsn1(): Uint8Array<ArrayBufferLike>;
+    /**
+     * Build the ASN.1 DER structure for the certificate.
+     */
+    protected genericBuildAsn1Structure({ serialNumber, notBefore, notAfter, issuer, subject, ellipticCurvePublicKey, extensions, }: Unsigned<CT>): {
+        version: {
+            _tag: number;
+            _bytes: Uint8Array<ArrayBuffer>;
+        };
+        serialNumber: {
+            _type: DerType;
+            _raw: any;
+        };
+        signatureAlgorithm: any;
+        issuer: {
+            [field: string]: any[];
+        };
+        validity: {
+            notBefore: Date;
+            notAfter: Date;
+        };
+        subject: {
+            [field: string]: any[];
+        };
+        publicKey: {
+            type: {
+                algorithm: {
+                    _tag: number;
+                    _bytes: Uint8Array<ArrayBuffer>;
+                };
+                curve: {
+                    _tag: number;
+                    _bytes: Uint8Array<ArrayBuffer>;
+                };
+            };
+            bytes: {
+                _tag: number;
+                _bytes: Uint8Array<ArrayBufferLike>;
+                _padding: number;
+            };
+        };
+        extensions: {
+            _tag: number;
+            _bytes: Uint8Array<ArrayBuffer>;
+        };
+    };
+    /**
+     * Create a Certificate Signing Request (CSR) in ASN.1 DER format.
+     */
+    static createCertificateSigningRequest(crypto: Crypto, key: Key): Promise<Uint8Array<ArrayBufferLike>>;
+    /**
+     * Extract the public key from a Certificate Signing Request (CSR) in ASN.1 DER format.
+     */
+    static getPublicKeyFromCsr(crypto: Crypto, csr: Uint8Array): Promise<Uint8Array<ArrayBufferLike>>;
+}
+//# sourceMappingURL=X509Base.d.ts.map

package/dist/cjs/certificate/kinds/X509Base.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"X509Base.d.ts","sourceRoot":"","sources":["../../../../src/certificate/kinds/X509Base.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAGH,MAAM,EAKN,OAAO,EACP,GAAG,EAMN,MAAM,UAAU,CAAC;AAElB,OAAO,EAA8C,QAAQ,EAAE,MAAM,aAAa,CAAC;AAYnF,OAAO,EAAoD,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG1G;;;;GAIG;AACH,8BAAsB,QAAQ,CAAC,EAAE,SAAS,eAAe;;gBAIzC,IAAI,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IAOnC,IAAI,IAAI,IAAI,QAAQ,CAAC,EAAE,CAAC,CAEvB;IAED,IAAI,QAAQ,YAEX;IAED;;;OAGG;IACH,IAAI,SAAS,IAWY,UAAU,CANlC;IAED;;;OAGG;IACH,IAAI,SAAS,CAAC,SAAS,EAAE,UAAU,EAKlC;IAED;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU;IAI1C;;OAEG;IACH,cAAc,IAAI,UAAU,CAAC,eAAe,CAAC;IAiM7C;;OAEG;IACH,SAAS,CAAC,yBAAyB,CAAC,EAChC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,EACN,OAAO,EACP,sBAAsB,EACtB,UAAU,GACb,EAAE,QAAQ,CAAC,EAAE,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAsBf;;OAEG;WACU,+BAA+B,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG;IAerE;;OAEG;WACU,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU;CAqCnE"}