@naylence/advanced-security 0.3.7-test.113 → 0.3.7-test.114
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/dist/browser/index.cjs +0 -9879
- package/dist/browser/index.mjs +0 -9826
- package/dist/cjs/advanced-security-isomorphic.js +0 -97
- package/dist/cjs/advanced-security-isomorphic.js.map +0 -1
- package/dist/cjs/browser.js +0 -25
- package/dist/cjs/browser.js.map +0 -1
- package/dist/cjs/index.js +0 -2
- package/dist/cjs/index.js.map +0 -1
- package/dist/cjs/install-env.js +0 -2
- package/dist/cjs/install-env.js.map +0 -1
- package/dist/cjs/naylence/fame/factory-manifest.js +0 -39
- package/dist/cjs/naylence/fame/factory-manifest.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/browser-csr.js +0 -103
- package/dist/cjs/naylence/fame/security/cert/browser-csr.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/ca-server-cli.js +0 -30
- package/dist/cjs/naylence/fame/security/cert/ca-server-cli.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/ca-server.js +0 -223
- package/dist/cjs/naylence/fame/security/cert/ca-server.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/ca-service-client.js +0 -585
- package/dist/cjs/naylence/fame/security/cert/ca-service-client.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/ca-service-factory.js +0 -61
- package/dist/cjs/naylence/fame/security/cert/ca-service-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/ca-types.js +0 -39
- package/dist/cjs/naylence/fame/security/cert/ca-types.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/csr-types.js +0 -2
- package/dist/cjs/naylence/fame/security/cert/csr-types.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/default-ca-service-factory.js +0 -66
- package/dist/cjs/naylence/fame/security/cert/default-ca-service-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/default-ca-service.js +0 -364
- package/dist/cjs/naylence/fame/security/cert/default-ca-service.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/default-certificate-manager-factory.js +0 -73
- package/dist/cjs/naylence/fame/security/cert/default-certificate-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/default-certificate-manager.js +0 -815
- package/dist/cjs/naylence/fame/security/cert/default-certificate-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/grants.js +0 -2
- package/dist/cjs/naylence/fame/security/cert/grants.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/index.js +0 -18
- package/dist/cjs/naylence/fame/security/cert/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/internal-ca-service.js +0 -741
- package/dist/cjs/naylence/fame/security/cert/internal-ca-service.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/node-ed25519-csr.js +0 -156
- package/dist/cjs/naylence/fame/security/cert/node-ed25519-csr.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/oid-constants.js +0 -7
- package/dist/cjs/naylence/fame/security/cert/oid-constants.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/anchor-utils.js +0 -119
- package/dist/cjs/naylence/fame/security/cert/trust-store/anchor-utils.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.js +0 -82
- package/dist/cjs/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/env-provider.js +0 -168
- package/dist/cjs/naylence/fame/security/cert/trust-store/env-provider.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.js +0 -257
- package/dist/cjs/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +0 -497
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js +0 -2
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js +0 -61
- package/dist/cjs/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/static-bundle-provider.js +0 -44
- package/dist/cjs/naylence/fame/security/cert/trust-store/static-bundle-provider.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/trust-store-provider-factory.js +0 -40
- package/dist/cjs/naylence/fame/security/cert/trust-store/trust-store-provider-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/trust-store/trust-store-provider.js +0 -2
- package/dist/cjs/naylence/fame/security/cert/trust-store/trust-store-provider.js.map +0 -1
- package/dist/cjs/naylence/fame/security/cert/util.js +0 -515
- package/dist/cjs/naylence/fame/security/cert/util.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.js +0 -85
- package/dist/cjs/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/channel/channel-encryption-manager.js +0 -743
- package/dist/cjs/naylence/fame/security/encryption/channel/channel-encryption-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/channel/index.js +0 -3
- package/dist/cjs/naylence/fame/security/encryption/channel/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/composite-encryption-manager-factory.js +0 -113
- package/dist/cjs/naylence/fame/security/encryption/composite-encryption-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/composite-encryption-manager.js +0 -321
- package/dist/cjs/naylence/fame/security/encryption/composite-encryption-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/default-secure-channel-manager-factory.js +0 -53
- package/dist/cjs/naylence/fame/security/encryption/default-secure-channel-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/default-secure-channel-manager.js +0 -278
- package/dist/cjs/naylence/fame/security/encryption/default-secure-channel-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/encryption-manager-registry.js +0 -167
- package/dist/cjs/naylence/fame/security/encryption/encryption-manager-registry.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/index.js +0 -7
- package/dist/cjs/naylence/fame/security/encryption/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/sealed/index.js +0 -3
- package/dist/cjs/naylence/fame/security/encryption/sealed/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.js +0 -82
- package/dist/cjs/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/encryption/sealed/x25519-encryption-manager.js +0 -542
- package/dist/cjs/naylence/fame/security/encryption/sealed/x25519-encryption-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/index.js +0 -6
- package/dist/cjs/naylence/fame/security/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/keys/index.js +0 -3
- package/dist/cjs/naylence/fame/security/keys/index.js.map +0 -1
- package/dist/cjs/naylence/fame/security/keys/x5c-key-manager-factory.js +0 -36
- package/dist/cjs/naylence/fame/security/keys/x5c-key-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/keys/x5c-key-manager.js +0 -405
- package/dist/cjs/naylence/fame/security/keys/x5c-key-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/security/register-advanced-security-factories.js +0 -283
- package/dist/cjs/naylence/fame/security/register-advanced-security-factories.js.map +0 -1
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-signer-factory.js +0 -34
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-signer-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js +0 -33
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier.js +0 -189
- package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-helper.js +0 -72
- package/dist/cjs/naylence/fame/stickiness/aft-helper.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js +0 -65
- package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.js +0 -447
- package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-model.js +0 -54
- package/dist/cjs/naylence/fame/stickiness/aft-model.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.js +0 -50
- package/dist/cjs/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-replica-stickiness-manager.js +0 -203
- package/dist/cjs/naylence/fame/stickiness/aft-replica-stickiness-manager.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-signer.js +0 -147
- package/dist/cjs/naylence/fame/stickiness/aft-signer.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-utils.js +0 -90
- package/dist/cjs/naylence/fame/stickiness/aft-utils.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/aft-verifier.js +0 -290
- package/dist/cjs/naylence/fame/stickiness/aft-verifier.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/index.js +0 -11
- package/dist/cjs/naylence/fame/stickiness/index.js.map +0 -1
- package/dist/cjs/naylence/fame/stickiness/stickiness-mode.js +0 -24
- package/dist/cjs/naylence/fame/stickiness/stickiness-mode.js.map +0 -1
- package/dist/cjs/naylence/fame/welcome/advanced-welcome-service-factory.js +0 -93
- package/dist/cjs/naylence/fame/welcome/advanced-welcome-service-factory.js.map +0 -1
- package/dist/cjs/naylence/fame/welcome/advanced-welcome-service.js +0 -212
- package/dist/cjs/naylence/fame/welcome/advanced-welcome-service.js.map +0 -1
- package/dist/cjs/naylence/fame/welcome/index.js +0 -3
- package/dist/cjs/naylence/fame/welcome/index.js.map +0 -1
- package/dist/cjs/node.js +0 -11
- package/dist/cjs/node.js.map +0 -1
- package/dist/cjs/plugin.js +0 -39
- package/dist/cjs/plugin.js.map +0 -1
- package/dist/cjs/version.js +0 -8
- package/dist/cjs/version.js.map +0 -1
- package/dist/esm/advanced-security-isomorphic.js +0 -97
- package/dist/esm/advanced-security-isomorphic.js.map +0 -1
- package/dist/esm/browser.js +0 -25
- package/dist/esm/browser.js.map +0 -1
- package/dist/esm/index.js +0 -2
- package/dist/esm/index.js.map +0 -1
- package/dist/esm/install-env.js +0 -2
- package/dist/esm/install-env.js.map +0 -1
- package/dist/esm/naylence/fame/factory-manifest.js +0 -39
- package/dist/esm/naylence/fame/factory-manifest.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/browser-csr.js +0 -103
- package/dist/esm/naylence/fame/security/cert/browser-csr.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/ca-server-cli.js +0 -30
- package/dist/esm/naylence/fame/security/cert/ca-server-cli.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/ca-server.js +0 -223
- package/dist/esm/naylence/fame/security/cert/ca-server.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/ca-service-client.js +0 -585
- package/dist/esm/naylence/fame/security/cert/ca-service-client.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/ca-service-factory.js +0 -61
- package/dist/esm/naylence/fame/security/cert/ca-service-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/ca-types.js +0 -39
- package/dist/esm/naylence/fame/security/cert/ca-types.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/csr-types.js +0 -2
- package/dist/esm/naylence/fame/security/cert/csr-types.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/default-ca-service-factory.js +0 -66
- package/dist/esm/naylence/fame/security/cert/default-ca-service-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/default-ca-service.js +0 -364
- package/dist/esm/naylence/fame/security/cert/default-ca-service.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/default-certificate-manager-factory.js +0 -73
- package/dist/esm/naylence/fame/security/cert/default-certificate-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/default-certificate-manager.js +0 -815
- package/dist/esm/naylence/fame/security/cert/default-certificate-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/grants.js +0 -2
- package/dist/esm/naylence/fame/security/cert/grants.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/index.js +0 -18
- package/dist/esm/naylence/fame/security/cert/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/internal-ca-service.js +0 -741
- package/dist/esm/naylence/fame/security/cert/internal-ca-service.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/node-ed25519-csr.js +0 -156
- package/dist/esm/naylence/fame/security/cert/node-ed25519-csr.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/oid-constants.js +0 -7
- package/dist/esm/naylence/fame/security/cert/oid-constants.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/anchor-utils.js +0 -119
- package/dist/esm/naylence/fame/security/cert/trust-store/anchor-utils.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.js +0 -82
- package/dist/esm/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/env-provider.js +0 -168
- package/dist/esm/naylence/fame/security/cert/trust-store/env-provider.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.js +0 -257
- package/dist/esm/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +0 -497
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js +0 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js +0 -61
- package/dist/esm/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/static-bundle-provider.js +0 -44
- package/dist/esm/naylence/fame/security/cert/trust-store/static-bundle-provider.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/trust-store-provider-factory.js +0 -40
- package/dist/esm/naylence/fame/security/cert/trust-store/trust-store-provider-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/trust-store/trust-store-provider.js +0 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/trust-store-provider.js.map +0 -1
- package/dist/esm/naylence/fame/security/cert/util.js +0 -515
- package/dist/esm/naylence/fame/security/cert/util.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.js +0 -85
- package/dist/esm/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/channel/channel-encryption-manager.js +0 -743
- package/dist/esm/naylence/fame/security/encryption/channel/channel-encryption-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/channel/index.js +0 -3
- package/dist/esm/naylence/fame/security/encryption/channel/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/composite-encryption-manager-factory.js +0 -113
- package/dist/esm/naylence/fame/security/encryption/composite-encryption-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/composite-encryption-manager.js +0 -321
- package/dist/esm/naylence/fame/security/encryption/composite-encryption-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/default-secure-channel-manager-factory.js +0 -53
- package/dist/esm/naylence/fame/security/encryption/default-secure-channel-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/default-secure-channel-manager.js +0 -278
- package/dist/esm/naylence/fame/security/encryption/default-secure-channel-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/encryption-manager-registry.js +0 -167
- package/dist/esm/naylence/fame/security/encryption/encryption-manager-registry.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/index.js +0 -7
- package/dist/esm/naylence/fame/security/encryption/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/sealed/index.js +0 -3
- package/dist/esm/naylence/fame/security/encryption/sealed/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.js +0 -82
- package/dist/esm/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/encryption/sealed/x25519-encryption-manager.js +0 -542
- package/dist/esm/naylence/fame/security/encryption/sealed/x25519-encryption-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/index.js +0 -6
- package/dist/esm/naylence/fame/security/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/keys/index.js +0 -3
- package/dist/esm/naylence/fame/security/keys/index.js.map +0 -1
- package/dist/esm/naylence/fame/security/keys/x5c-key-manager-factory.js +0 -36
- package/dist/esm/naylence/fame/security/keys/x5c-key-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/keys/x5c-key-manager.js +0 -405
- package/dist/esm/naylence/fame/security/keys/x5c-key-manager.js.map +0 -1
- package/dist/esm/naylence/fame/security/register-advanced-security-factories.js +0 -283
- package/dist/esm/naylence/fame/security/register-advanced-security-factories.js.map +0 -1
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-signer-factory.js +0 -34
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-signer-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js +0 -33
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js.map +0 -1
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-verifier.js +0 -189
- package/dist/esm/naylence/fame/security/signing/eddsa-envelope-verifier.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-helper.js +0 -72
- package/dist/esm/naylence/fame/stickiness/aft-helper.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js +0 -65
- package/dist/esm/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.js +0 -447
- package/dist/esm/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-model.js +0 -54
- package/dist/esm/naylence/fame/stickiness/aft-model.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.js +0 -50
- package/dist/esm/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-replica-stickiness-manager.js +0 -203
- package/dist/esm/naylence/fame/stickiness/aft-replica-stickiness-manager.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-signer.js +0 -147
- package/dist/esm/naylence/fame/stickiness/aft-signer.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-utils.js +0 -90
- package/dist/esm/naylence/fame/stickiness/aft-utils.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/aft-verifier.js +0 -290
- package/dist/esm/naylence/fame/stickiness/aft-verifier.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/index.js +0 -11
- package/dist/esm/naylence/fame/stickiness/index.js.map +0 -1
- package/dist/esm/naylence/fame/stickiness/stickiness-mode.js +0 -24
- package/dist/esm/naylence/fame/stickiness/stickiness-mode.js.map +0 -1
- package/dist/esm/naylence/fame/welcome/advanced-welcome-service-factory.js +0 -93
- package/dist/esm/naylence/fame/welcome/advanced-welcome-service-factory.js.map +0 -1
- package/dist/esm/naylence/fame/welcome/advanced-welcome-service.js +0 -212
- package/dist/esm/naylence/fame/welcome/advanced-welcome-service.js.map +0 -1
- package/dist/esm/naylence/fame/welcome/index.js +0 -3
- package/dist/esm/naylence/fame/welcome/index.js.map +0 -1
- package/dist/esm/node.js +0 -11
- package/dist/esm/node.js.map +0 -1
- package/dist/esm/plugin.js +0 -39
- package/dist/esm/plugin.js.map +0 -1
- package/dist/esm/version.js +0 -8
- package/dist/esm/version.js.map +0 -1
- package/dist/node/index.cjs +0 -9870
- package/dist/node/index.mjs +0 -9815
- package/dist/node/node.cjs +0 -10154
- package/dist/node/node.mjs +0 -10061
- package/dist/types/advanced-security-isomorphic.d.ts +0 -24
- package/dist/types/advanced-security-isomorphic.d.ts.map +0 -1
- package/dist/types/browser.d.ts +0 -19
- package/dist/types/browser.d.ts.map +0 -1
- package/dist/types/index.d.ts +0 -2
- package/dist/types/index.d.ts.map +0 -1
- package/dist/types/install-env.d.ts +0 -3
- package/dist/types/install-env.d.ts.map +0 -1
- package/dist/types/naylence/fame/factory-manifest.d.ts +0 -11
- package/dist/types/naylence/fame/factory-manifest.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/browser-csr.d.ts +0 -9
- package/dist/types/naylence/fame/security/cert/browser-csr.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/ca-server-cli.d.ts +0 -3
- package/dist/types/naylence/fame/security/cert/ca-server-cli.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/ca-server.d.ts +0 -19
- package/dist/types/naylence/fame/security/cert/ca-server.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/ca-service-client.d.ts +0 -75
- package/dist/types/naylence/fame/security/cert/ca-service-client.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/ca-service-factory.d.ts +0 -43
- package/dist/types/naylence/fame/security/cert/ca-service-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/ca-types.d.ts +0 -129
- package/dist/types/naylence/fame/security/cert/ca-types.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/csr-types.d.ts +0 -5
- package/dist/types/naylence/fame/security/cert/csr-types.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/default-ca-service-factory.d.ts +0 -55
- package/dist/types/naylence/fame/security/cert/default-ca-service-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/default-ca-service.d.ts +0 -85
- package/dist/types/naylence/fame/security/cert/default-ca-service.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/default-certificate-manager-factory.d.ts +0 -25
- package/dist/types/naylence/fame/security/cert/default-certificate-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/default-certificate-manager.d.ts +0 -70
- package/dist/types/naylence/fame/security/cert/default-certificate-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/grants.d.ts +0 -2
- package/dist/types/naylence/fame/security/cert/grants.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/index.d.ts +0 -19
- package/dist/types/naylence/fame/security/cert/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/internal-ca-service.d.ts +0 -129
- package/dist/types/naylence/fame/security/cert/internal-ca-service.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/node-ed25519-csr.d.ts +0 -9
- package/dist/types/naylence/fame/security/cert/node-ed25519-csr.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/oid-constants.d.ts +0 -7
- package/dist/types/naylence/fame/security/cert/oid-constants.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/anchor-utils.d.ts +0 -12
- package/dist/types/naylence/fame/security/cert/trust-store/anchor-utils.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.d.ts +0 -29
- package/dist/types/naylence/fame/security/cert/trust-store/browser-trust-store-provider-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/env-provider.d.ts +0 -7
- package/dist/types/naylence/fame/security/cert/trust-store/env-provider.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.d.ts +0 -9
- package/dist/types/naylence/fame/security/cert/trust-store/fame-ca-certs-parser.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts +0 -35
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.d.ts +0 -2
- package/dist/types/naylence/fame/security/cert/trust-store/http-signed-bundle-provider.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.d.ts +0 -23
- package/dist/types/naylence/fame/security/cert/trust-store/node-trust-store-provider-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/static-bundle-provider.d.ts +0 -15
- package/dist/types/naylence/fame/security/cert/trust-store/static-bundle-provider.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/trust-store-provider-factory.d.ts +0 -28
- package/dist/types/naylence/fame/security/cert/trust-store/trust-store-provider-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/trust-store/trust-store-provider.d.ts +0 -43
- package/dist/types/naylence/fame/security/cert/trust-store/trust-store-provider.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/cert/util.d.ts +0 -25
- package/dist/types/naylence/fame/security/cert/util.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.d.ts +0 -29
- package/dist/types/naylence/fame/security/encryption/channel/channel-encryption-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/channel/channel-encryption-manager.d.ts +0 -51
- package/dist/types/naylence/fame/security/encryption/channel/channel-encryption-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/channel/index.d.ts +0 -3
- package/dist/types/naylence/fame/security/encryption/channel/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/composite-encryption-manager-factory.d.ts +0 -32
- package/dist/types/naylence/fame/security/encryption/composite-encryption-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/composite-encryption-manager.d.ts +0 -52
- package/dist/types/naylence/fame/security/encryption/composite-encryption-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/default-secure-channel-manager-factory.d.ts +0 -23
- package/dist/types/naylence/fame/security/encryption/default-secure-channel-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/default-secure-channel-manager.d.ts +0 -37
- package/dist/types/naylence/fame/security/encryption/default-secure-channel-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/encryption-manager-registry.d.ts +0 -34
- package/dist/types/naylence/fame/security/encryption/encryption-manager-registry.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/index.d.ts +0 -7
- package/dist/types/naylence/fame/security/encryption/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/sealed/index.d.ts +0 -3
- package/dist/types/naylence/fame/security/encryption/sealed/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.d.ts +0 -28
- package/dist/types/naylence/fame/security/encryption/sealed/x25519-encryption-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/encryption/sealed/x25519-encryption-manager.d.ts +0 -43
- package/dist/types/naylence/fame/security/encryption/sealed/x25519-encryption-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/index.d.ts +0 -6
- package/dist/types/naylence/fame/security/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/keys/index.d.ts +0 -3
- package/dist/types/naylence/fame/security/keys/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/keys/x5c-key-manager-factory.d.ts +0 -19
- package/dist/types/naylence/fame/security/keys/x5c-key-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/keys/x5c-key-manager.d.ts +0 -39
- package/dist/types/naylence/fame/security/keys/x5c-key-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts +0 -8
- package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-signer-factory.d.ts +0 -20
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-signer-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-verifier-factory.d.ts +0 -21
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-verifier-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-verifier.d.ts +0 -22
- package/dist/types/naylence/fame/security/signing/eddsa-envelope-verifier.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-helper.d.ts +0 -29
- package/dist/types/naylence/fame/stickiness/aft-helper.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.d.ts +0 -25
- package/dist/types/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.d.ts +0 -33
- package/dist/types/naylence/fame/stickiness/aft-load-balancer-stickiness-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-model.d.ts +0 -33
- package/dist/types/naylence/fame/stickiness/aft-model.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.d.ts +0 -23
- package/dist/types/naylence/fame/stickiness/aft-replica-stickiness-manager-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-replica-stickiness-manager.d.ts +0 -31
- package/dist/types/naylence/fame/stickiness/aft-replica-stickiness-manager.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-signer.d.ts +0 -55
- package/dist/types/naylence/fame/stickiness/aft-signer.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-utils.d.ts +0 -4
- package/dist/types/naylence/fame/stickiness/aft-utils.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/aft-verifier.d.ts +0 -50
- package/dist/types/naylence/fame/stickiness/aft-verifier.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/index.d.ts +0 -15
- package/dist/types/naylence/fame/stickiness/index.d.ts.map +0 -1
- package/dist/types/naylence/fame/stickiness/stickiness-mode.d.ts +0 -7
- package/dist/types/naylence/fame/stickiness/stickiness-mode.d.ts.map +0 -1
- package/dist/types/naylence/fame/welcome/advanced-welcome-service-factory.d.ts +0 -21
- package/dist/types/naylence/fame/welcome/advanced-welcome-service-factory.d.ts.map +0 -1
- package/dist/types/naylence/fame/welcome/advanced-welcome-service.d.ts +0 -21
- package/dist/types/naylence/fame/welcome/advanced-welcome-service.d.ts.map +0 -1
- package/dist/types/naylence/fame/welcome/index.d.ts +0 -3
- package/dist/types/naylence/fame/welcome/index.d.ts.map +0 -1
- package/dist/types/node.d.ts +0 -11
- package/dist/types/node.d.ts.map +0 -1
- package/dist/types/plugin.d.ts +0 -11
- package/dist/types/plugin.d.ts.map +0 -1
- package/dist/types/version.d.ts +0 -6
- package/dist/types/version.d.ts.map +0 -1
|
@@ -1,741 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Certificate Authority signing service for node certificates.
|
|
3
|
-
*
|
|
4
|
-
* Provides in-process API for issuing certificates with node physical
|
|
5
|
-
* and host-like logical address information using SPIFFE-compliant identities.
|
|
6
|
-
*/
|
|
7
|
-
import { AsnConvert, OctetString } from "@peculiar/asn1-schema";
|
|
8
|
-
import { AlgorithmIdentifier, AttributeTypeAndValue, AttributeValue, AuthorityKeyIdentifier, BasicConstraints, Certificate, Extension, Extensions, ExtendedKeyUsage, GeneralName, GeneralSubtree, GeneralSubtrees, KeyIdentifier, KeyUsage as X509KeyUsage, KeyUsageFlags, Name, NameConstraints, RelativeDistinguishedName, SubjectAlternativeName, SubjectPublicKeyInfo, SubjectKeyIdentifier, TBSCertificate, Validity, Version, id_ce_authorityKeyIdentifier, id_ce_basicConstraints, id_ce_extKeyUsage, id_ce_keyUsage, id_ce_nameConstraints, id_ce_subjectAltName, id_ce_subjectKeyIdentifier, id_kp_clientAuth, id_kp_serverAuth, } from "@peculiar/asn1-x509";
|
|
9
|
-
import { CertificationRequest } from "@peculiar/asn1-csr";
|
|
10
|
-
import { secureDigest, validateHostLogical } from "@naylence/runtime/node";
|
|
11
|
-
import { CAService } from "./ca-types.js";
|
|
12
|
-
import { LOGICALS_OID, NODE_ID_OID, SID_OID } from "./oid-constants.js";
|
|
13
|
-
const ED25519_OID = "1.3.101.112";
|
|
14
|
-
let x509ModulePromise = null;
|
|
15
|
-
let cryptoPromise = null;
|
|
16
|
-
let subtleCryptoPromise = null;
|
|
17
|
-
/**
|
|
18
|
-
* Lazy-load the @peculiar/x509 module.
|
|
19
|
-
*/
|
|
20
|
-
async function loadX509Module() {
|
|
21
|
-
if (!x509ModulePromise) {
|
|
22
|
-
x509ModulePromise = import("@peculiar/x509")
|
|
23
|
-
.then((mod) => {
|
|
24
|
-
if (mod && typeof mod.X509Certificate === "function") {
|
|
25
|
-
return mod;
|
|
26
|
-
}
|
|
27
|
-
return null;
|
|
28
|
-
})
|
|
29
|
-
.catch((error) => {
|
|
30
|
-
console.error("Failed to load @peculiar/x509:", error);
|
|
31
|
-
return null;
|
|
32
|
-
});
|
|
33
|
-
}
|
|
34
|
-
return x509ModulePromise;
|
|
35
|
-
}
|
|
36
|
-
async function ensureCrypto() {
|
|
37
|
-
if (typeof globalThis.crypto !== "undefined" && globalThis.crypto.subtle) {
|
|
38
|
-
return globalThis.crypto;
|
|
39
|
-
}
|
|
40
|
-
if (!cryptoPromise) {
|
|
41
|
-
if (typeof process !== "undefined" &&
|
|
42
|
-
typeof process.versions?.node === "string") {
|
|
43
|
-
cryptoPromise = import("node:crypto").then((cryptoModule) => {
|
|
44
|
-
const webcrypto = cryptoModule
|
|
45
|
-
.webcrypto;
|
|
46
|
-
if (!webcrypto || !webcrypto.subtle) {
|
|
47
|
-
throw new Error("WebCrypto API is not available in this Node.js runtime");
|
|
48
|
-
}
|
|
49
|
-
globalThis.crypto = webcrypto;
|
|
50
|
-
return webcrypto;
|
|
51
|
-
});
|
|
52
|
-
}
|
|
53
|
-
else {
|
|
54
|
-
cryptoPromise = Promise.reject(new Error("WebCrypto API is not available in this environment"));
|
|
55
|
-
}
|
|
56
|
-
}
|
|
57
|
-
return cryptoPromise;
|
|
58
|
-
}
|
|
59
|
-
async function getSubtleCrypto() {
|
|
60
|
-
if (!subtleCryptoPromise) {
|
|
61
|
-
subtleCryptoPromise = ensureCrypto().then((cryptoImpl) => cryptoImpl.subtle);
|
|
62
|
-
}
|
|
63
|
-
return subtleCryptoPromise;
|
|
64
|
-
}
|
|
65
|
-
async function importEd25519PrivateKey(pem, keyUsages = ["sign"]) {
|
|
66
|
-
const subtle = await getSubtleCrypto();
|
|
67
|
-
const der = pemToDer(pem);
|
|
68
|
-
try {
|
|
69
|
-
return await subtle.importKey("pkcs8", der, { name: "Ed25519" }, false, keyUsages);
|
|
70
|
-
}
|
|
71
|
-
catch (error) {
|
|
72
|
-
throw new Error(`Failed to import Ed25519 private key: ${error.message}`);
|
|
73
|
-
}
|
|
74
|
-
}
|
|
75
|
-
async function importEd25519PublicKey(pem, keyUsages = ["verify"]) {
|
|
76
|
-
const subtle = await getSubtleCrypto();
|
|
77
|
-
const der = pemToDer(pem);
|
|
78
|
-
try {
|
|
79
|
-
return await subtle.importKey("spki", der, { name: "Ed25519" }, true, keyUsages);
|
|
80
|
-
}
|
|
81
|
-
catch (error) {
|
|
82
|
-
throw new Error(`Failed to import Ed25519 public key: ${error.message}`);
|
|
83
|
-
}
|
|
84
|
-
}
|
|
85
|
-
async function computeKeyIdentifier(key) {
|
|
86
|
-
const subtle = await getSubtleCrypto();
|
|
87
|
-
let spki;
|
|
88
|
-
if (key instanceof ArrayBuffer) {
|
|
89
|
-
spki = key;
|
|
90
|
-
}
|
|
91
|
-
else if (ArrayBuffer.isView(key)) {
|
|
92
|
-
const view = new Uint8Array(key.buffer, key.byteOffset, key.byteLength);
|
|
93
|
-
spki = view.slice().buffer;
|
|
94
|
-
}
|
|
95
|
-
else {
|
|
96
|
-
spki = await subtle.exportKey("spki", key);
|
|
97
|
-
}
|
|
98
|
-
const digest = await subtle.digest("SHA-256", spki);
|
|
99
|
-
return new Uint8Array(digest);
|
|
100
|
-
}
|
|
101
|
-
function toArrayBuffer(view) {
|
|
102
|
-
return new Uint8Array(view).buffer;
|
|
103
|
-
}
|
|
104
|
-
function serializeAsn(value) {
|
|
105
|
-
return AsnConvert.serialize(value);
|
|
106
|
-
}
|
|
107
|
-
function hexToArrayBuffer(hex) {
|
|
108
|
-
const normalized = hex.length % 2 === 0 ? hex : `0${hex}`;
|
|
109
|
-
const bytes = new Uint8Array(normalized.length / 2);
|
|
110
|
-
for (let i = 0; i < bytes.length; i += 1) {
|
|
111
|
-
const byte = normalized.slice(i * 2, i * 2 + 2);
|
|
112
|
-
bytes[i] = Number.parseInt(byte, 16);
|
|
113
|
-
}
|
|
114
|
-
return bytes.buffer;
|
|
115
|
-
}
|
|
116
|
-
async function createEd25519Certificate(options) {
|
|
117
|
-
const subtle = await getSubtleCrypto();
|
|
118
|
-
await ensureCrypto();
|
|
119
|
-
const serialHex = generateSerialNumber();
|
|
120
|
-
const issuerName = cloneName(options.issuer);
|
|
121
|
-
const subjectName = cloneName(options.subject);
|
|
122
|
-
const subjectSpki = await subtle.exportKey("spki", options.subjectPublicKey);
|
|
123
|
-
const subjectPublicKeyInfo = AsnConvert.parse(subjectSpki, SubjectPublicKeyInfo);
|
|
124
|
-
subjectPublicKeyInfo.algorithm = new AlgorithmIdentifier({
|
|
125
|
-
algorithm: ED25519_OID,
|
|
126
|
-
});
|
|
127
|
-
const signatureAlgorithm = new AlgorithmIdentifier({
|
|
128
|
-
algorithm: ED25519_OID,
|
|
129
|
-
});
|
|
130
|
-
const extensions = options.extensions?.length
|
|
131
|
-
? new Extensions(options.extensions.map((ext) => new Extension({
|
|
132
|
-
extnID: ext.type,
|
|
133
|
-
critical: ext.critical,
|
|
134
|
-
extnValue: new OctetString(ext.value),
|
|
135
|
-
})))
|
|
136
|
-
: undefined;
|
|
137
|
-
const tbsCertificate = new TBSCertificate({
|
|
138
|
-
version: Version.v3,
|
|
139
|
-
serialNumber: hexToArrayBuffer(serialHex),
|
|
140
|
-
signature: signatureAlgorithm,
|
|
141
|
-
issuer: issuerName,
|
|
142
|
-
validity: new Validity({
|
|
143
|
-
notBefore: options.notBefore,
|
|
144
|
-
notAfter: options.notAfter,
|
|
145
|
-
}),
|
|
146
|
-
subject: subjectName,
|
|
147
|
-
subjectPublicKeyInfo,
|
|
148
|
-
extensions,
|
|
149
|
-
});
|
|
150
|
-
const tbsDer = AsnConvert.serialize(tbsCertificate);
|
|
151
|
-
const signature = await subtle.sign("Ed25519", options.signingKey, tbsDer);
|
|
152
|
-
const certificate = new Certificate({
|
|
153
|
-
tbsCertificate,
|
|
154
|
-
signatureAlgorithm,
|
|
155
|
-
signatureValue: signature,
|
|
156
|
-
});
|
|
157
|
-
certificate.tbsCertificateRaw = tbsDer;
|
|
158
|
-
return AsnConvert.serialize(certificate);
|
|
159
|
-
}
|
|
160
|
-
function derToPem(der, label) {
|
|
161
|
-
const base64 = bufferToBase64(der);
|
|
162
|
-
return `-----BEGIN ${label}-----\n${formatPem(base64)}\n-----END ${label}-----\n`;
|
|
163
|
-
}
|
|
164
|
-
function addDays(base, days) {
|
|
165
|
-
const result = new Date(base.getTime());
|
|
166
|
-
result.setUTCDate(result.getUTCDate() + days);
|
|
167
|
-
return result;
|
|
168
|
-
}
|
|
169
|
-
function generateSerialNumber(bytes = 16) {
|
|
170
|
-
const cryptoImpl = globalThis.crypto;
|
|
171
|
-
if (!cryptoImpl) {
|
|
172
|
-
throw new Error("Crypto API not initialized");
|
|
173
|
-
}
|
|
174
|
-
const random = new Uint8Array(bytes);
|
|
175
|
-
cryptoImpl.getRandomValues(random);
|
|
176
|
-
random[0] &= 0x7f;
|
|
177
|
-
return Array.from(random, (value) => value.toString(16).padStart(2, "0")).join("");
|
|
178
|
-
}
|
|
179
|
-
function getFameRootDomain() {
|
|
180
|
-
if (typeof process !== "undefined" && process.env?.FAME_ROOT) {
|
|
181
|
-
return process.env.FAME_ROOT;
|
|
182
|
-
}
|
|
183
|
-
return "fame.fabric";
|
|
184
|
-
}
|
|
185
|
-
const OID_COMMON_NAME = "2.5.4.3";
|
|
186
|
-
const OID_ORGANIZATIONAL_UNIT = "2.5.4.11";
|
|
187
|
-
const OID_ORGANIZATION = "2.5.4.10";
|
|
188
|
-
function createRelativeDistinguishedName(oid, value) {
|
|
189
|
-
return new RelativeDistinguishedName([
|
|
190
|
-
new AttributeTypeAndValue({
|
|
191
|
-
type: oid,
|
|
192
|
-
value: new AttributeValue({ utf8String: value }),
|
|
193
|
-
}),
|
|
194
|
-
]);
|
|
195
|
-
}
|
|
196
|
-
function buildCertificateName(commonName, organization, organizationalUnit) {
|
|
197
|
-
const rdns = [
|
|
198
|
-
createRelativeDistinguishedName(OID_COMMON_NAME, commonName),
|
|
199
|
-
];
|
|
200
|
-
if (organizationalUnit) {
|
|
201
|
-
rdns.push(createRelativeDistinguishedName(OID_ORGANIZATIONAL_UNIT, organizationalUnit));
|
|
202
|
-
}
|
|
203
|
-
if (organization) {
|
|
204
|
-
rdns.push(createRelativeDistinguishedName(OID_ORGANIZATION, organization));
|
|
205
|
-
}
|
|
206
|
-
return new Name(rdns);
|
|
207
|
-
}
|
|
208
|
-
function cloneName(name) {
|
|
209
|
-
return AsnConvert.parse(AsnConvert.serialize(name), Name);
|
|
210
|
-
}
|
|
211
|
-
function getCertificateIdentity(cert) {
|
|
212
|
-
const parsed = AsnConvert.parse(cert.rawData, Certificate);
|
|
213
|
-
return {
|
|
214
|
-
name: cloneName(parsed.tbsCertificate.subject),
|
|
215
|
-
subjectPublicKeyInfo: AsnConvert.serialize(parsed.tbsCertificate.subjectPublicKeyInfo),
|
|
216
|
-
};
|
|
217
|
-
}
|
|
218
|
-
async function buildCaExtensions(subjectPublicKey, issuerPublicKey, options) {
|
|
219
|
-
const extensions = [];
|
|
220
|
-
const basicConstraints = new BasicConstraints({ cA: true });
|
|
221
|
-
if (options.pathLength !== null && options.pathLength !== undefined) {
|
|
222
|
-
basicConstraints.pathLenConstraint = options.pathLength;
|
|
223
|
-
}
|
|
224
|
-
extensions.push({
|
|
225
|
-
type: id_ce_basicConstraints,
|
|
226
|
-
critical: true,
|
|
227
|
-
value: serializeAsn(basicConstraints),
|
|
228
|
-
});
|
|
229
|
-
const keyUsageFlags = KeyUsageFlags.digitalSignature |
|
|
230
|
-
KeyUsageFlags.keyCertSign |
|
|
231
|
-
KeyUsageFlags.cRLSign;
|
|
232
|
-
extensions.push({
|
|
233
|
-
type: id_ce_keyUsage,
|
|
234
|
-
critical: true,
|
|
235
|
-
value: serializeAsn(new X509KeyUsage(keyUsageFlags)),
|
|
236
|
-
});
|
|
237
|
-
const subjectKeyId = await computeKeyIdentifier(subjectPublicKey);
|
|
238
|
-
extensions.push({
|
|
239
|
-
type: id_ce_subjectKeyIdentifier,
|
|
240
|
-
critical: false,
|
|
241
|
-
value: serializeAsn(new SubjectKeyIdentifier(subjectKeyId)),
|
|
242
|
-
});
|
|
243
|
-
const authorityKeyId = await computeKeyIdentifier(issuerPublicKey);
|
|
244
|
-
extensions.push({
|
|
245
|
-
type: id_ce_authorityKeyIdentifier,
|
|
246
|
-
critical: false,
|
|
247
|
-
value: serializeAsn(new AuthorityKeyIdentifier({
|
|
248
|
-
keyIdentifier: new KeyIdentifier(authorityKeyId),
|
|
249
|
-
})),
|
|
250
|
-
});
|
|
251
|
-
if (options.permittedDnsDomains?.length) {
|
|
252
|
-
const permittedSubtrees = new GeneralSubtrees(options.permittedDnsDomains.map((domain) => new GeneralSubtree({ base: new GeneralName({ dNSName: domain }) })));
|
|
253
|
-
const constraints = new NameConstraints({ permittedSubtrees });
|
|
254
|
-
extensions.push({
|
|
255
|
-
type: id_ce_nameConstraints,
|
|
256
|
-
critical: true,
|
|
257
|
-
value: serializeAsn(constraints),
|
|
258
|
-
});
|
|
259
|
-
}
|
|
260
|
-
return extensions;
|
|
261
|
-
}
|
|
262
|
-
async function buildLeafExtensions(publicKey, nodeSid, nodeId, spiffeId, logicalHosts, issuerPublicKey) {
|
|
263
|
-
const extensions = [];
|
|
264
|
-
extensions.push({
|
|
265
|
-
type: id_ce_subjectAltName,
|
|
266
|
-
critical: false,
|
|
267
|
-
value: serializeAsn(new SubjectAlternativeName([
|
|
268
|
-
new GeneralName({ uniformResourceIdentifier: spiffeId }),
|
|
269
|
-
])),
|
|
270
|
-
});
|
|
271
|
-
const keyUsageFlags = KeyUsageFlags.digitalSignature;
|
|
272
|
-
extensions.push({
|
|
273
|
-
type: id_ce_keyUsage,
|
|
274
|
-
critical: true,
|
|
275
|
-
value: serializeAsn(new X509KeyUsage(keyUsageFlags)),
|
|
276
|
-
});
|
|
277
|
-
extensions.push({
|
|
278
|
-
type: id_ce_extKeyUsage,
|
|
279
|
-
critical: false,
|
|
280
|
-
value: serializeAsn(new ExtendedKeyUsage([id_kp_clientAuth, id_kp_serverAuth])),
|
|
281
|
-
});
|
|
282
|
-
const subjectKeyId = await computeKeyIdentifier(publicKey);
|
|
283
|
-
extensions.push({
|
|
284
|
-
type: id_ce_subjectKeyIdentifier,
|
|
285
|
-
critical: false,
|
|
286
|
-
value: serializeAsn(new SubjectKeyIdentifier(subjectKeyId)),
|
|
287
|
-
});
|
|
288
|
-
const authorityKeyId = await computeKeyIdentifier(issuerPublicKey);
|
|
289
|
-
extensions.push({
|
|
290
|
-
type: id_ce_authorityKeyIdentifier,
|
|
291
|
-
critical: false,
|
|
292
|
-
value: serializeAsn(new AuthorityKeyIdentifier({
|
|
293
|
-
keyIdentifier: new KeyIdentifier(authorityKeyId),
|
|
294
|
-
})),
|
|
295
|
-
});
|
|
296
|
-
extensions.push({
|
|
297
|
-
type: SID_OID,
|
|
298
|
-
critical: false,
|
|
299
|
-
value: toArrayBuffer(new TextEncoder().encode(nodeSid)),
|
|
300
|
-
});
|
|
301
|
-
extensions.push({
|
|
302
|
-
type: NODE_ID_OID,
|
|
303
|
-
critical: false,
|
|
304
|
-
value: toArrayBuffer(new TextEncoder().encode(nodeId)),
|
|
305
|
-
});
|
|
306
|
-
if (logicalHosts.length) {
|
|
307
|
-
const logicalsJson = JSON.stringify(logicalHosts);
|
|
308
|
-
extensions.push({
|
|
309
|
-
type: LOGICALS_OID,
|
|
310
|
-
critical: false,
|
|
311
|
-
value: toArrayBuffer(new TextEncoder().encode(logicalsJson)),
|
|
312
|
-
});
|
|
313
|
-
}
|
|
314
|
-
return extensions;
|
|
315
|
-
}
|
|
316
|
-
/**
|
|
317
|
-
* In-process certificate signing service.
|
|
318
|
-
*
|
|
319
|
-
* Issues SPIFFE-compliant node certificates with Fame-specific extensions
|
|
320
|
-
* for physical paths and logical addresses.
|
|
321
|
-
*/
|
|
322
|
-
export class CASigningService extends CAService {
|
|
323
|
-
constructor(options) {
|
|
324
|
-
super();
|
|
325
|
-
this.rootCertPem = options.rootCertPem;
|
|
326
|
-
this.rootKeyPem = options.rootKeyPem;
|
|
327
|
-
this.intermediateCertPem = options.intermediateCertPem;
|
|
328
|
-
this.intermediateKeyPem = options.intermediateKeyPem;
|
|
329
|
-
}
|
|
330
|
-
async ensureRootMaterials() {
|
|
331
|
-
const x509 = await loadX509Module();
|
|
332
|
-
if (!x509) {
|
|
333
|
-
throw new Error("@peculiar/x509 module not available");
|
|
334
|
-
}
|
|
335
|
-
if (!this.rootCert) {
|
|
336
|
-
this.rootCert = new x509.X509Certificate(pemToDer(this.rootCertPem));
|
|
337
|
-
}
|
|
338
|
-
if (!this.rootKey) {
|
|
339
|
-
this.rootKey = await importEd25519PrivateKey(this.rootKeyPem);
|
|
340
|
-
}
|
|
341
|
-
return x509;
|
|
342
|
-
}
|
|
343
|
-
async ensureSigningMaterials() {
|
|
344
|
-
const x509 = await this.ensureRootMaterials();
|
|
345
|
-
if (this.intermediateCertPem && this.intermediateKeyPem) {
|
|
346
|
-
if (!this.signingCert) {
|
|
347
|
-
this.signingCert = new x509.X509Certificate(pemToDer(this.intermediateCertPem));
|
|
348
|
-
}
|
|
349
|
-
if (!this.signingKey) {
|
|
350
|
-
this.signingKey = await importEd25519PrivateKey(this.intermediateKeyPem);
|
|
351
|
-
}
|
|
352
|
-
}
|
|
353
|
-
else {
|
|
354
|
-
this.signingCert = this.rootCert;
|
|
355
|
-
this.signingKey = this.rootKey;
|
|
356
|
-
}
|
|
357
|
-
return x509;
|
|
358
|
-
}
|
|
359
|
-
getRootCertificate() {
|
|
360
|
-
if (!this.rootCert) {
|
|
361
|
-
throw new Error("Root certificate not initialized");
|
|
362
|
-
}
|
|
363
|
-
return this.rootCert;
|
|
364
|
-
}
|
|
365
|
-
getRootKey() {
|
|
366
|
-
if (!this.rootKey) {
|
|
367
|
-
throw new Error("Root private key not initialized");
|
|
368
|
-
}
|
|
369
|
-
return this.rootKey;
|
|
370
|
-
}
|
|
371
|
-
getSigningCertificate() {
|
|
372
|
-
if (!this.signingCert) {
|
|
373
|
-
throw new Error("Signing certificate not initialized");
|
|
374
|
-
}
|
|
375
|
-
return this.signingCert;
|
|
376
|
-
}
|
|
377
|
-
getSigningKey() {
|
|
378
|
-
if (!this.signingKey) {
|
|
379
|
-
throw new Error("Signing key not initialized");
|
|
380
|
-
}
|
|
381
|
-
return this.signingKey;
|
|
382
|
-
}
|
|
383
|
-
/**
|
|
384
|
-
* Issue a certificate from a CSR.
|
|
385
|
-
*
|
|
386
|
-
* Parses the PKCS#10 CSR, extracts the public key, calculates node SID,
|
|
387
|
-
* and signs a certificate. Mirrors Python's default_ca_service.issue_certificate.
|
|
388
|
-
*
|
|
389
|
-
* @param csr - Certificate signing request
|
|
390
|
-
* @returns Certificate issuance response with the signed certificate
|
|
391
|
-
*/
|
|
392
|
-
async issueCertificate(csr) {
|
|
393
|
-
// Parse PKCS#10 CSR to extract SubjectPublicKeyInfo
|
|
394
|
-
const csrDer = pemToDer(csr.csrPem);
|
|
395
|
-
const certRequest = AsnConvert.parse(csrDer, CertificationRequest);
|
|
396
|
-
const subjectPublicKeyInfo = certRequest.certificationRequestInfo.subjectPKInfo;
|
|
397
|
-
// Convert SubjectPublicKeyInfo to PEM format
|
|
398
|
-
const publicKeyDer = AsnConvert.serialize(subjectPublicKeyInfo);
|
|
399
|
-
const publicKeyPem = derToPem(publicKeyDer, "PUBLIC KEY");
|
|
400
|
-
// Determine node SID and physical path (mirrors Python logic)
|
|
401
|
-
const physicalPath = csr.physicalPath || `/unknown/${csr.requesterId}`;
|
|
402
|
-
const nodeSid = secureDigest(physicalPath);
|
|
403
|
-
const logicals = csr.logicals || [];
|
|
404
|
-
// Issue the certificate (short-lived: 1 day)
|
|
405
|
-
const certificatePem = await this.signNodeCert(publicKeyPem, csr.requesterId, // Use requesterId as node_id
|
|
406
|
-
nodeSid, physicalPath, logicals, 1, // TTL: 1 day (matches Python)
|
|
407
|
-
undefined);
|
|
408
|
-
// Parse certificate to get expiration
|
|
409
|
-
const certDer = pemToDer(certificatePem);
|
|
410
|
-
const cert = AsnConvert.parse(certDer, Certificate);
|
|
411
|
-
const notAfter = cert.tbsCertificate.validity.notAfter.getTime();
|
|
412
|
-
const expiresAt = new Date(notAfter).toISOString();
|
|
413
|
-
return {
|
|
414
|
-
certificatePem,
|
|
415
|
-
expiresAt,
|
|
416
|
-
};
|
|
417
|
-
}
|
|
418
|
-
/**
|
|
419
|
-
* Sign a SPIFFE-compatible node certificate with SID-based identity.
|
|
420
|
-
*
|
|
421
|
-
* @param publicKeyPem - Node's public key in PEM format
|
|
422
|
-
* @param nodeId - Unique identifier for the node
|
|
423
|
-
* @param nodeSid - Node's pre-computed SID (base62-encoded)
|
|
424
|
-
* @param physicalPath - Physical path (for SID verification only)
|
|
425
|
-
* @param logicals - List of host-like logical addresses
|
|
426
|
-
* @param ttlDays - Certificate validity period in days
|
|
427
|
-
* @param spiffeTrustDomain - SPIFFE trust domain
|
|
428
|
-
* @returns PEM-encoded signed certificate
|
|
429
|
-
*/
|
|
430
|
-
async signNodeCert(publicKeyPem, nodeId, nodeSid, physicalPath, logicals, ttlDays = 365, spiffeTrustDomain = "naylence.fame") {
|
|
431
|
-
await this.ensureSigningMaterials();
|
|
432
|
-
const signingCert = this.getSigningCertificate();
|
|
433
|
-
const signingKey = this.getSigningKey();
|
|
434
|
-
const expectedSid = secureDigest(physicalPath);
|
|
435
|
-
if (expectedSid !== nodeSid) {
|
|
436
|
-
throw new Error("Provided SID does not match the computed SID for the physical path");
|
|
437
|
-
}
|
|
438
|
-
const logicalHosts = logicals ?? [];
|
|
439
|
-
for (const logical of logicalHosts) {
|
|
440
|
-
const [valid, error] = validateHostLogical(logical);
|
|
441
|
-
if (!valid) {
|
|
442
|
-
throw new Error(`Invalid logical host '${logical}': ${error ?? "unknown error"}`);
|
|
443
|
-
}
|
|
444
|
-
}
|
|
445
|
-
await ensureCrypto();
|
|
446
|
-
const publicKey = await importEd25519PublicKey(publicKeyPem, ["verify"]);
|
|
447
|
-
const issuerIdentity = getCertificateIdentity(signingCert);
|
|
448
|
-
const now = new Date();
|
|
449
|
-
const notBefore = new Date(now.getTime() - 60000);
|
|
450
|
-
const notAfter = addDays(now, ttlDays);
|
|
451
|
-
const spiffeId = `spiffe://${spiffeTrustDomain}/nodes/${nodeSid}`;
|
|
452
|
-
const extensions = await buildLeafExtensions(publicKey, nodeSid, nodeId, spiffeId, logicalHosts, issuerIdentity.subjectPublicKeyInfo);
|
|
453
|
-
const issuerName = issuerIdentity.name;
|
|
454
|
-
const subjectName = new Name([]); // SPIFFE X.509-SVIDs require an empty subject DN
|
|
455
|
-
const certDer = await createEd25519Certificate({
|
|
456
|
-
subject: subjectName,
|
|
457
|
-
issuer: issuerName,
|
|
458
|
-
subjectPublicKey: publicKey,
|
|
459
|
-
signingKey,
|
|
460
|
-
notBefore,
|
|
461
|
-
notAfter,
|
|
462
|
-
extensions,
|
|
463
|
-
});
|
|
464
|
-
return derToPem(certDer, "CERTIFICATE");
|
|
465
|
-
}
|
|
466
|
-
/**
|
|
467
|
-
* Create an intermediate CA certificate.
|
|
468
|
-
*
|
|
469
|
-
* @param publicKeyPem - Intermediate CA's public key in PEM format
|
|
470
|
-
* @param caName - Name for the intermediate CA
|
|
471
|
-
* @param permittedPaths - List of logical prefixes this CA can issue for
|
|
472
|
-
* @param ttlDays - Certificate validity period in days
|
|
473
|
-
* @returns PEM-encoded intermediate CA certificate
|
|
474
|
-
*/
|
|
475
|
-
async createIntermediateCA(publicKeyPem, caName, permittedPaths, ttlDays = 1825) {
|
|
476
|
-
await this.ensureRootMaterials();
|
|
477
|
-
const rootCert = this.getRootCertificate();
|
|
478
|
-
const rootKey = this.getRootKey();
|
|
479
|
-
await ensureCrypto();
|
|
480
|
-
const subjectPublicKey = await importEd25519PublicKey(publicKeyPem);
|
|
481
|
-
const now = new Date();
|
|
482
|
-
const notBefore = new Date(now.getTime() - 60000);
|
|
483
|
-
const notAfter = addDays(now, ttlDays);
|
|
484
|
-
const subjectName = buildCertificateName(caName, "Naylence Fame", "Fame Intermediate CAs");
|
|
485
|
-
const issuerIdentity = getCertificateIdentity(rootCert);
|
|
486
|
-
const extensions = await buildCaExtensions(subjectPublicKey, issuerIdentity.subjectPublicKeyInfo, {
|
|
487
|
-
pathLength: 0,
|
|
488
|
-
permittedDnsDomains: permittedPaths.length
|
|
489
|
-
? [getFameRootDomain()]
|
|
490
|
-
: undefined,
|
|
491
|
-
});
|
|
492
|
-
const certDer = await createEd25519Certificate({
|
|
493
|
-
subject: subjectName,
|
|
494
|
-
issuer: issuerIdentity.name,
|
|
495
|
-
subjectPublicKey,
|
|
496
|
-
signingKey: rootKey,
|
|
497
|
-
notBefore,
|
|
498
|
-
notAfter,
|
|
499
|
-
extensions,
|
|
500
|
-
});
|
|
501
|
-
return derToPem(certDer, "CERTIFICATE");
|
|
502
|
-
}
|
|
503
|
-
}
|
|
504
|
-
/**
|
|
505
|
-
* Create a test root CA for development/testing.
|
|
506
|
-
*
|
|
507
|
-
* Generates an Ed25519 key pair and self-signed root CA certificate.
|
|
508
|
-
*
|
|
509
|
-
* @returns Tuple of [rootCertPem, rootKeyPem]
|
|
510
|
-
*/
|
|
511
|
-
export async function createTestCA() {
|
|
512
|
-
const subtle = await getSubtleCrypto();
|
|
513
|
-
await ensureCrypto();
|
|
514
|
-
const keyPair = await subtle.generateKey({
|
|
515
|
-
name: "Ed25519",
|
|
516
|
-
namedCurve: "Ed25519",
|
|
517
|
-
}, true, ["sign", "verify"]);
|
|
518
|
-
const privateKeyDer = await subtle.exportKey("pkcs8", keyPair.privateKey);
|
|
519
|
-
const publicKeyDer = await subtle.exportKey("spki", keyPair.publicKey);
|
|
520
|
-
const rootKeyPem = derToPem(privateKeyDer, "PRIVATE KEY");
|
|
521
|
-
const publicKeyPem = derToPem(publicKeyDer, "PUBLIC KEY");
|
|
522
|
-
const now = new Date();
|
|
523
|
-
const notBefore = new Date(now.getTime() - 60000);
|
|
524
|
-
const notAfter = addDays(now, 365 * 20);
|
|
525
|
-
const subjectName = buildCertificateName("Fame Test Root CA", "Naylence Fame");
|
|
526
|
-
const extensions = await buildCaExtensions(keyPair.publicKey, keyPair.publicKey, { pathLength: null });
|
|
527
|
-
const certDer = await createEd25519Certificate({
|
|
528
|
-
subject: subjectName,
|
|
529
|
-
issuer: subjectName,
|
|
530
|
-
subjectPublicKey: keyPair.publicKey,
|
|
531
|
-
signingKey: keyPair.privateKey,
|
|
532
|
-
notBefore,
|
|
533
|
-
notAfter,
|
|
534
|
-
extensions,
|
|
535
|
-
});
|
|
536
|
-
const rootCertPem = derToPem(certDer, "CERTIFICATE");
|
|
537
|
-
return [rootCertPem, rootKeyPem, publicKeyPem];
|
|
538
|
-
}
|
|
539
|
-
/**
|
|
540
|
-
* Extract SPIFFE ID from certificate SAN.
|
|
541
|
-
*
|
|
542
|
-
* @param certPem - Certificate in PEM format
|
|
543
|
-
* @returns SPIFFE ID string or null if not found
|
|
544
|
-
*/
|
|
545
|
-
export async function extractSpiffeIdFromCert(certPem) {
|
|
546
|
-
const x509 = await loadX509Module();
|
|
547
|
-
if (!x509) {
|
|
548
|
-
throw new Error("@peculiar/x509 module not available");
|
|
549
|
-
}
|
|
550
|
-
try {
|
|
551
|
-
const certDer = pemToDer(certPem);
|
|
552
|
-
const cert = new x509.X509Certificate(certDer);
|
|
553
|
-
// TODO: Extract SAN extension and find SPIFFE URI
|
|
554
|
-
// This requires accessing the certificate extensions
|
|
555
|
-
console.log("Extracting SPIFFE ID from cert:", cert.subject);
|
|
556
|
-
return null;
|
|
557
|
-
}
|
|
558
|
-
catch (error) {
|
|
559
|
-
console.error("Failed to extract SPIFFE ID:", error);
|
|
560
|
-
return null;
|
|
561
|
-
}
|
|
562
|
-
}
|
|
563
|
-
/**
|
|
564
|
-
* Extract raw SID bytes from certificate extension.
|
|
565
|
-
*
|
|
566
|
-
* @param certPem - Certificate in PEM format
|
|
567
|
-
* @returns SID bytes or null if not found
|
|
568
|
-
*/
|
|
569
|
-
export async function extractSidFromCert(certPem) {
|
|
570
|
-
const x509 = await loadX509Module();
|
|
571
|
-
if (!x509) {
|
|
572
|
-
throw new Error("@peculiar/x509 module not available");
|
|
573
|
-
}
|
|
574
|
-
try {
|
|
575
|
-
const certDer = pemToDer(certPem);
|
|
576
|
-
const cert = new x509.X509Certificate(certDer);
|
|
577
|
-
const sidExtension = cert.getExtension(SID_OID);
|
|
578
|
-
if (sidExtension) {
|
|
579
|
-
return new Uint8Array(sidExtension);
|
|
580
|
-
}
|
|
581
|
-
return null;
|
|
582
|
-
}
|
|
583
|
-
catch (error) {
|
|
584
|
-
console.error("Failed to extract SID:", error);
|
|
585
|
-
return null;
|
|
586
|
-
}
|
|
587
|
-
}
|
|
588
|
-
/**
|
|
589
|
-
* Extract node ID from certificate extension.
|
|
590
|
-
*
|
|
591
|
-
* @param certPem - Certificate in PEM format
|
|
592
|
-
* @returns Node ID string or null if not found
|
|
593
|
-
*/
|
|
594
|
-
export async function extractNodeIdFromCert(certPem) {
|
|
595
|
-
const x509 = await loadX509Module();
|
|
596
|
-
if (!x509) {
|
|
597
|
-
throw new Error("@peculiar/x509 module not available");
|
|
598
|
-
}
|
|
599
|
-
try {
|
|
600
|
-
const certDer = pemToDer(certPem);
|
|
601
|
-
const cert = new x509.X509Certificate(certDer);
|
|
602
|
-
const nodeIdExtension = cert.getExtension(NODE_ID_OID);
|
|
603
|
-
if (nodeIdExtension) {
|
|
604
|
-
const decoder = new TextDecoder();
|
|
605
|
-
return decoder.decode(nodeIdExtension);
|
|
606
|
-
}
|
|
607
|
-
return null;
|
|
608
|
-
}
|
|
609
|
-
catch (error) {
|
|
610
|
-
console.error("Failed to extract node ID:", error);
|
|
611
|
-
return null;
|
|
612
|
-
}
|
|
613
|
-
}
|
|
614
|
-
/**
|
|
615
|
-
* Extract logical hosts from certificate private extension.
|
|
616
|
-
*
|
|
617
|
-
* @param certPem - Certificate in PEM format
|
|
618
|
-
* @returns List of logical host addresses, empty if none found
|
|
619
|
-
*/
|
|
620
|
-
export async function extractLogicalHostsFromCert(certPem) {
|
|
621
|
-
const x509 = await loadX509Module();
|
|
622
|
-
if (!x509) {
|
|
623
|
-
throw new Error("@peculiar/x509 module not available");
|
|
624
|
-
}
|
|
625
|
-
try {
|
|
626
|
-
const certDer = pemToDer(certPem);
|
|
627
|
-
const cert = new x509.X509Certificate(certDer);
|
|
628
|
-
const logicalsExtension = cert.getExtension(LOGICALS_OID);
|
|
629
|
-
if (logicalsExtension) {
|
|
630
|
-
const decoder = new TextDecoder();
|
|
631
|
-
const jsonStr = decoder.decode(logicalsExtension);
|
|
632
|
-
return JSON.parse(jsonStr);
|
|
633
|
-
}
|
|
634
|
-
return [];
|
|
635
|
-
}
|
|
636
|
-
catch (error) {
|
|
637
|
-
console.error("Failed to extract logical hosts:", error);
|
|
638
|
-
return [];
|
|
639
|
-
}
|
|
640
|
-
}
|
|
641
|
-
/**
|
|
642
|
-
* Extract the SID string from a SPIFFE ID.
|
|
643
|
-
*
|
|
644
|
-
* @param spiffeId - SPIFFE ID in format spiffe://trust-domain/nodes/<sid>
|
|
645
|
-
* @returns SID string (base62-encoded) or null if not a valid node SPIFFE ID
|
|
646
|
-
*/
|
|
647
|
-
export function extractSidFromSpiffeId(spiffeId) {
|
|
648
|
-
if (!spiffeId.startsWith("spiffe://")) {
|
|
649
|
-
return null;
|
|
650
|
-
}
|
|
651
|
-
// Parse spiffe://trust-domain/nodes/<sid>
|
|
652
|
-
const parts = spiffeId.split("/");
|
|
653
|
-
if (parts.length >= 5 && parts[3] === "nodes") {
|
|
654
|
-
return parts[4] ?? null; // The SID string (base62-encoded)
|
|
655
|
-
}
|
|
656
|
-
return null;
|
|
657
|
-
}
|
|
658
|
-
/**
|
|
659
|
-
* Verify that the SID in the certificate matches the expected physical path.
|
|
660
|
-
*
|
|
661
|
-
* @param certPem - Certificate in PEM format
|
|
662
|
-
* @param physicalPath - The expected physical path to verify against
|
|
663
|
-
* @returns True if SID matches computed hash of physical path, False otherwise
|
|
664
|
-
*/
|
|
665
|
-
export async function verifyCertSidIntegrity(certPem, physicalPath) {
|
|
666
|
-
const sidBytes = await extractSidFromCert(certPem);
|
|
667
|
-
if (!sidBytes) {
|
|
668
|
-
return false;
|
|
669
|
-
}
|
|
670
|
-
try {
|
|
671
|
-
const decoder = new TextDecoder();
|
|
672
|
-
const certSid = decoder.decode(sidBytes);
|
|
673
|
-
// Compute expected SID from physical path and compare
|
|
674
|
-
// TODO: Import secureDigest from runtime
|
|
675
|
-
// const expectedSid = secureDigest(physicalPath);
|
|
676
|
-
// return certSid === expectedSid;
|
|
677
|
-
console.log("Verifying SID integrity:", { certSid, physicalPath });
|
|
678
|
-
return false; // Placeholder until secureDigest is available
|
|
679
|
-
}
|
|
680
|
-
catch (error) {
|
|
681
|
-
console.error("Failed to verify SID integrity:", error);
|
|
682
|
-
return false;
|
|
683
|
-
}
|
|
684
|
-
}
|
|
685
|
-
// ============================================================================
|
|
686
|
-
// Utility Functions
|
|
687
|
-
// ============================================================================
|
|
688
|
-
/**
|
|
689
|
-
* Convert PEM to DER format as ArrayBuffer.
|
|
690
|
-
*/
|
|
691
|
-
function pemToDer(pem) {
|
|
692
|
-
const base64 = pem
|
|
693
|
-
.replace(/-----BEGIN[^-]+-----/, "")
|
|
694
|
-
.replace(/-----END[^-]+-----/, "")
|
|
695
|
-
.replace(/\s/g, "");
|
|
696
|
-
const bytes = base64ToBuffer(base64);
|
|
697
|
-
// Create a new ArrayBuffer and copy the data
|
|
698
|
-
const buffer = new ArrayBuffer(bytes.length);
|
|
699
|
-
const view = new Uint8Array(buffer);
|
|
700
|
-
view.set(bytes);
|
|
701
|
-
return buffer;
|
|
702
|
-
}
|
|
703
|
-
/**
|
|
704
|
-
* Convert base64 string to Uint8Array.
|
|
705
|
-
*/
|
|
706
|
-
function base64ToBuffer(base64) {
|
|
707
|
-
if (typeof Buffer !== "undefined") {
|
|
708
|
-
return Buffer.from(base64, "base64");
|
|
709
|
-
}
|
|
710
|
-
const binary = atob(base64);
|
|
711
|
-
const bytes = new Uint8Array(binary.length);
|
|
712
|
-
for (let i = 0; i < binary.length; i++) {
|
|
713
|
-
bytes[i] = binary.charCodeAt(i);
|
|
714
|
-
}
|
|
715
|
-
return bytes;
|
|
716
|
-
}
|
|
717
|
-
/**
|
|
718
|
-
* Convert ArrayBuffer to base64 string.
|
|
719
|
-
*/
|
|
720
|
-
function bufferToBase64(buffer) {
|
|
721
|
-
if (typeof Buffer !== "undefined") {
|
|
722
|
-
return Buffer.from(buffer).toString("base64");
|
|
723
|
-
}
|
|
724
|
-
const bytes = new Uint8Array(buffer);
|
|
725
|
-
let binary = "";
|
|
726
|
-
for (let i = 0; i < bytes.length; i++) {
|
|
727
|
-
binary += String.fromCharCode(bytes[i]);
|
|
728
|
-
}
|
|
729
|
-
return btoa(binary);
|
|
730
|
-
}
|
|
731
|
-
/**
|
|
732
|
-
* Format base64 string into 64-character lines.
|
|
733
|
-
*/
|
|
734
|
-
function formatPem(base64) {
|
|
735
|
-
const lines = [];
|
|
736
|
-
for (let i = 0; i < base64.length; i += 64) {
|
|
737
|
-
lines.push(base64.substring(i, Math.min(i + 64, base64.length)));
|
|
738
|
-
}
|
|
739
|
-
return lines.join("\n");
|
|
740
|
-
}
|
|
741
|
-
//# sourceMappingURL=internal-ca-service.js.map
|