@sphereon/ssi-sdk-ext.x509-utils 0.24.1-unstable.9

package/dist/x509/x509-utils.js

@@ -0,0 +1,196 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.derToPEM = exports.PEMToDer = exports.hexToPEM = exports.hexToBase64 = exports.base64ToHex = exports.PEMToHex = exports.publicKeyHexFromPEM = exports.hexKeyFromPEMBasedJwk = exports.privateKeyHexFromPEM = exports.PEMToJwk = exports.jwkToPEM = exports.toKeyObject = exports.areCertificatesEqual = exports.pemOrDerToX509Certificate = exports.x5cToPemCertChain = exports.pemCertChainTox5c = void 0;
+const pkijs_1 = require("pkijs");
+const u8a = __importStar(require("uint8arrays"));
+// @ts-ignore
+const keyto_1 = __importDefault(require("@trust/keyto"));
+// Based on (MIT licensed):
+// https://github.com/hildjj/node-posh/blob/master/lib/index.js
+function pemCertChainTox5c(cert, maxDepth) {
+    if (!maxDepth) {
+        maxDepth = 0;
+    }
+    /*
+     * Convert a PEM-encoded certificate to the version used in the x5c element
+     * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).
+     *
+     * `cert` PEM-encoded certificate chain
+     * `maxdepth` The maximum number of certificates to use from the chain.
+     */
+    const intermediate = cert
+        .replace(/-----[^\n]+\n?/gm, ',')
+        .replace(/\n/g, '')
+        .replace(/\r/g, '');
+    let x5c = intermediate.split(',').filter(function (c) {
+        return c.length > 0;
+    });
+    if (maxDepth > 0) {
+        x5c = x5c.splice(0, maxDepth);
+    }
+    return x5c;
+}
+exports.pemCertChainTox5c = pemCertChainTox5c;
+function x5cToPemCertChain(x5c, maxDepth) {
+    if (!maxDepth) {
+        maxDepth = 0;
+    }
+    const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length);
+    let pem = '';
+    for (let i = 0; i < length; i++) {
+        pem += derToPEM(x5c[i], 'CERTIFICATE');
+    }
+    return pem;
+}
+exports.x5cToPemCertChain = x5cToPemCertChain;
+const pemOrDerToX509Certificate = (cert) => {
+    if (typeof cert !== 'string') {
+        return pkijs_1.Certificate.fromBER(cert);
+    }
+    let DER = cert;
+    if (cert.includes('CERTIFICATE')) {
+        DER = PEMToDer(cert);
+    }
+    return pkijs_1.Certificate.fromBER(u8a.fromString(DER, 'base64pad'));
+};
+exports.pemOrDerToX509Certificate = pemOrDerToX509Certificate;
+const areCertificatesEqual = (cert1, cert2) => {
+    return cert1.signatureValue.isEqual(cert2.signatureValue);
+};
+exports.areCertificatesEqual = areCertificatesEqual;
+const toKeyObject = (PEM, visibility = 'public') => {
+    const jwk = (0, exports.PEMToJwk)(PEM, visibility);
+    const keyVisibility = jwk.d ? 'private' : 'public';
+    const keyHex = keyVisibility === 'private' ? (0, exports.privateKeyHexFromPEM)(PEM) : (0, exports.publicKeyHexFromPEM)(PEM);
+    return {
+        pem: (0, exports.hexToPEM)(keyHex, visibility),
+        jwk,
+        keyHex,
+        keyType: keyVisibility,
+    };
+};
+exports.toKeyObject = toKeyObject;
+const jwkToPEM = (jwk, visibility = 'public') => {
+    return keyto_1.default.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8');
+};
+exports.jwkToPEM = jwkToPEM;
+const PEMToJwk = (pem, visibility = 'public') => {
+    return keyto_1.default.from(pem, 'pem').toJwk(visibility);
+};
+exports.PEMToJwk = PEMToJwk;
+const privateKeyHexFromPEM = (PEM) => {
+    return (0, exports.PEMToHex)(PEM);
+};
+exports.privateKeyHexFromPEM = privateKeyHexFromPEM;
+const hexKeyFromPEMBasedJwk = (jwk, visibility = 'public') => {
+    if (visibility === 'private') {
+        return (0, exports.privateKeyHexFromPEM)((0, exports.jwkToPEM)(jwk, 'private'));
+    }
+    else {
+        return (0, exports.publicKeyHexFromPEM)((0, exports.jwkToPEM)(jwk, 'public'));
+    }
+};
+exports.hexKeyFromPEMBasedJwk = hexKeyFromPEMBasedJwk;
+const publicKeyHexFromPEM = (PEM) => {
+    const hex = (0, exports.PEMToHex)(PEM);
+    if (PEM.includes('CERTIFICATE')) {
+        throw Error('Cannot directly deduce public Key from PEM Certificate yet');
+    }
+    else if (!PEM.includes('PRIVATE')) {
+        return hex;
+    }
+    const publicJwk = (0, exports.PEMToJwk)(PEM, 'public');
+    const publicPEM = (0, exports.jwkToPEM)(publicJwk, 'public');
+    return (0, exports.PEMToHex)(publicPEM);
+};
+exports.publicKeyHexFromPEM = publicKeyHexFromPEM;
+const PEMToHex = (PEM, headerKey) => {
+    if (PEM.indexOf('-----BEGIN ') == -1) {
+        throw Error(`PEM header not found: ${headerKey}`);
+    }
+    let strippedPem;
+    if (headerKey) {
+        strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '');
+        strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '');
+    }
+    else {
+        strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '');
+        strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '');
+    }
+    return (0, exports.base64ToHex)(strippedPem, 'base64pad');
+};
+exports.PEMToHex = PEMToHex;
+/**
+ * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines
+ * @param input The input in base64, with optional newlines
+ * @param inputEncoding
+ */
+const base64ToHex = (input, inputEncoding) => {
+    const base64NoNewlines = input.replace(/[^0-9A-Za-z_\-~\/+=]*/g, '');
+    return u8a.toString(u8a.fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16');
+};
+exports.base64ToHex = base64ToHex;
+const hexToBase64 = (input, targetEncoding) => {
+    let hex = typeof input === 'string' ? input : input.toString(16);
+    if (hex.length % 2 === 1) {
+        hex = `0${hex}`;
+    }
+    return u8a.toString(u8a.fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad');
+};
+exports.hexToBase64 = hexToBase64;
+const hexToPEM = (hex, type) => {
+    const base64 = (0, exports.hexToBase64)(hex, 'base64pad');
+    const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY';
+    if (type === 'private') {
+        const pem = derToPEM(base64, headerKey);
+        try {
+            (0, exports.PEMToJwk)(pem); // We only use it to test the private key
+            return pem;
+        }
+        catch (error) {
+            return derToPEM(base64, 'PRIVATE KEY');
+        }
+    }
+    return derToPEM(base64, headerKey);
+};
+exports.hexToPEM = hexToPEM;
+function PEMToDer(pem) {
+    return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\n\r])/g, '');
+}
+exports.PEMToDer = PEMToDer;
+function derToPEM(cert, headerKey) {
+    const key = headerKey !== null && headerKey !== void 0 ? headerKey : 'CERTIFICATE';
+    const matches = cert.match(/.{1,64}/g);
+    if (!matches) {
+        throw Error('Invalid cert input value supplied');
+    }
+    return `-----BEGIN ${key}-----\n${matches.join('\n')}\n-----END ${key}-----\n`;
+}
+exports.derToPEM = derToPEM;
+//# sourceMappingURL=x509-utils.js.map

package/dist/x509/x509-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x509-utils.js","sourceRoot":"","sources":["../../src/x509/x509-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iCAAmC;AACnC,iDAAkC;AAClC,aAAa;AACb,yDAAgC;AAGhC,2BAA2B;AAC3B,+DAA+D;AAC/D,SAAgB,iBAAiB,CAAC,IAAY,EAAE,QAAiB;IAC/D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,CAAC,CAAA;IACd,CAAC;IACD;;;;;;OAMG;IAEH,MAAM,YAAY,GAAG,IAAI;SACtB,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IACrB,IAAI,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC;QAClD,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAA;IACrB,CAAC,CAAC,CAAA;IACF,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAvBD,8CAuBC;AAED,SAAgB,iBAAiB,CAAC,GAAa,EAAE,QAAiB;IAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,CAAC,CAAA;IACd,CAAC;IACD,MAAM,MAAM,GAAG,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;IAC3E,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,CAAA;IACxC,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAVD,8CAUC;AAEM,MAAM,yBAAyB,GAAG,CAAC,IAAyB,EAAe,EAAE;IAClF,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,mBAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAClC,CAAC;IACD,IAAI,GAAG,GAAG,IAAI,CAAA;IACd,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAA;IACtB,CAAC;IACD,OAAO,mBAAW,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAA;AAC9D,CAAC,CAAA;AATY,QAAA,yBAAyB,6BASrC;AAEM,MAAM,oBAAoB,GAAG,CAAC,KAAkB,EAAE,KAAkB,EAAW,EAAE;IACtF,OAAO,KAAK,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;AAC3D,CAAC,CAAA;AAFY,QAAA,oBAAoB,wBAEhC;AAEM,MAAM,WAAW,GAAG,CAAC,GAAW,EAAE,aAA4B,QAAQ,EAAE,EAAE;IAC/E,MAAM,GAAG,GAAG,IAAA,gBAAQ,EAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACrC,MAAM,aAAa,GAAkB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAA;IACjE,MAAM,MAAM,GAAG,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,IAAA,4BAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAA,2BAAmB,EAAC,GAAG,CAAC,CAAA;IAEjG,OAAO;QACL,GAAG,EAAE,IAAA,gBAAQ,EAAC,MAAM,EAAE,UAAU,CAAC;QACjC,GAAG;QACH,MAAM;QACN,OAAO,EAAE,aAAa;KACvB,CAAA;AACH,CAAC,CAAA;AAXY,QAAA,WAAW,eAWvB;AAEM,MAAM,QAAQ,GAAG,CAAC,GAAe,EAAE,aAA4B,QAAQ,EAAU,EAAE;IACxF,OAAO,eAAK,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,eAAe,CAAC,CAAA;AAC3G,CAAC,CAAA;AAFY,QAAA,QAAQ,YAEpB;AAEM,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,aAA4B,QAAQ,EAAc,EAAE;IACxF,OAAO,eAAK,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;AACjD,CAAC,CAAA;AAFY,QAAA,QAAQ,YAEpB;AACM,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAE,EAAE;IAClD,OAAO,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAA;AACtB,CAAC,CAAA;AAFY,QAAA,oBAAoB,wBAEhC;AAEM,MAAM,qBAAqB,GAAG,CAAC,GAAe,EAAE,aAA4B,QAAQ,EAAU,EAAE;IACrG,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,IAAA,4BAAoB,EAAC,IAAA,gBAAQ,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAA;IACvD,CAAC;SAAM,CAAC;QACN,OAAO,IAAA,2BAAmB,EAAC,IAAA,gBAAQ,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAA;IACrD,CAAC;AACH,CAAC,CAAA;AANY,QAAA,qBAAqB,yBAMjC;AAEM,MAAM,mBAAmB,GAAG,CAAC,GAAW,EAAE,EAAE;IACjD,MAAM,GAAG,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAA;IACzB,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAChC,MAAM,KAAK,CAAC,4DAA4D,CAAC,CAAA;IAC3E,CAAC;SAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,MAAM,SAAS,GAAG,IAAA,gBAAQ,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACzC,MAAM,SAAS,GAAG,IAAA,gBAAQ,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;IAC/C,OAAO,IAAA,gBAAQ,EAAC,SAAS,CAAC,CAAA;AAC5B,CAAC,CAAA;AAVY,QAAA,mBAAmB,uBAU/B;AAEM,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,SAAkB,EAAU,EAAE;IAClE,IAAI,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACrC,MAAM,KAAK,CAAC,yBAAyB,SAAS,EAAE,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,WAAmB,CAAA;IACvB,IAAI,SAAS,EAAE,CAAC;QACd,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,kBAAkB,GAAG,SAAS,GAAG,OAAO,CAAC,EAAE,EAAE,CAAC,CAAA;QACnF,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,WAAW,GAAG,SAAS,GAAG,YAAY,CAAC,EAAE,EAAE,CAAC,CAAA;IAC3F,CAAC;SAAM,CAAC;QACN,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC,CAAA;QAC3D,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAA;IACnE,CAAC;IACD,OAAO,IAAA,mBAAW,EAAC,WAAW,EAAE,WAAW,CAAC,CAAA;AAC9C,CAAC,CAAA;AAdY,QAAA,QAAQ,YAcpB;AAED;;;;GAIG;AACI,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,aAAqE,EAAE,EAAE;IAClH,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAA;IACpE,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,CAAA;AAC9G,CAAC,CAAA;AAHY,QAAA,WAAW,eAGvB;AAEM,MAAM,WAAW,GAAG,CAAC,KAA+B,EAAE,cAAsE,EAAU,EAAE;IAC7I,IAAI,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;IAChE,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,GAAG,GAAG,IAAI,GAAG,EAAE,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;AACnG,CAAC,CAAA;AANY,QAAA,WAAW,eAMvB;AAEM,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,IAAmB,EAAU,EAAE;IACnE,MAAM,MAAM,GAAG,IAAA,mBAAW,EAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,YAAY,CAAA;IACvE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC;YACH,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAA,CAAC,yCAAyC;YACvD,OAAO,GAAG,CAAA;QACZ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;AACpC,CAAC,CAAA;AAbY,QAAA,QAAQ,YAapB;AAED,SAAgB,QAAQ,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,OAAO,CAAC,6CAA6C,EAAE,EAAE,CAAC,CAAA;AACvE,CAAC;AAFD,4BAEC;AAED,SAAgB,QAAQ,CAAC,IAAY,EAAE,SAA4E;IACjH,MAAM,GAAG,GAAG,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,aAAa,CAAA;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IACtC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,KAAK,CAAC,mCAAmC,CAAC,CAAA;IAClD,CAAC;IACD,OAAO,cAAc,GAAG,UAAU,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,GAAG,SAAS,CAAA;AAChF,CAAC;AAPD,4BAOC"}

package/dist/x509/x509-validator.d.ts

@@ -0,0 +1,42 @@
+import { Certificate } from 'pkijs';
+export type DNInfo = {
+    DN: string;
+    attributes: Record<string, string>;
+};
+export type CertInfo = {
+    certificate?: Certificate;
+    notBefore: Date;
+    notAfter: Date;
+    publicKeyJWK?: any;
+    issuer: {
+        dn: DNInfo;
+    };
+    subject: {
+        dn: DNInfo;
+    };
+};
+export type X509ValidationResult = {
+    error: boolean;
+    critical: boolean;
+    message: string;
+    verificationTime: Date;
+    certificateChain?: Array<CertInfo>;
+};
+/**
+ *
+ * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
+ * @param trustedPEMs
+ * @param verificationTime
+ * @param opts
+ */
+export declare const validateX509CertificateChain: ({ chain: pemOrDerChain, trustAnchors, verificationTime, opts, }: {
+    chain: (Uint8Array | string)[];
+    trustAnchors?: string[];
+    verificationTime?: Date;
+    opts?: {
+        trustRootWhenNoAnchors: boolean;
+    };
+}) => Promise<X509ValidationResult>;
+export declare const getIssuerDN: (cert: Certificate) => DNInfo;
+export declare const getSubjectDN: (cert: Certificate) => DNInfo;
+//# sourceMappingURL=x509-validator.d.ts.map

package/dist/x509/x509-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x509-validator.d.ts","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAyB,WAAW,EAAwE,MAAM,OAAO,CAAA;AAGhI,MAAM,MAAM,MAAM,GAAG;IACnB,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACnC,CAAA;AAED,MAAM,MAAM,QAAQ,GAAG;IACrB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,IAAI,CAAA;IACd,YAAY,CAAC,EAAE,GAAG,CAAA;IAClB,MAAM,EAAE;QACN,EAAE,EAAE,MAAM,CAAA;KACX,CAAA;IACD,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAA;KACX,CAAA;CACF,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,OAAO,CAAA;IACd,QAAQ,EAAE,OAAO,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,gBAAgB,EAAE,IAAI,CAAA;IACtB,gBAAgB,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAA;CACnC,CAAA;AAqBD;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,oEAKtC;IACD,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAA;IAC9B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,gBAAgB,CAAC,EAAE,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAA;KAAE,CAAA;CAC3C,KAAG,QAAQ,oBAAoB,CAsD/B,CAAA;AAgBD,eAAO,MAAM,WAAW,SAAU,WAAW,KAAG,MAK/C,CAAA;AAED,eAAO,MAAM,YAAY,SAAU,WAAW,KAAG,MAKhD,CAAA"}

package/dist/x509/x509-validator.js

@@ -0,0 +1,134 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSubjectDN = exports.getIssuerDN = exports.validateX509CertificateChain = void 0;
+const pkijs_1 = require("pkijs");
+const x509_utils_1 = require("./x509-utils");
+const defaultCryptoEngine = () => {
+    if (typeof self !== 'undefined') {
+        if ('crypto' in self) {
+            let engineName = 'webcrypto';
+            if ('webkitSubtle' in self.crypto) {
+                engineName = 'safari';
+            }
+            (0, pkijs_1.setEngine)(engineName, new pkijs_1.CryptoEngine({ name: engineName, crypto: crypto }));
+        }
+    }
+    else if (typeof crypto !== 'undefined' && 'webcrypto' in crypto) {
+        const name = 'NodeJS ^15';
+        const nodeCrypto = crypto.webcrypto;
+        // @ts-ignore
+        (0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: nodeCrypto }));
+    }
+    else if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
+        const name = 'crypto';
+        (0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: crypto }));
+    }
+};
+/**
+ *
+ * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
+ * @param trustedPEMs
+ * @param verificationTime
+ * @param opts
+ */
+const validateX509CertificateChain = (_a) => __awaiter(void 0, [_a], void 0, function* ({ chain: pemOrDerChain, trustAnchors, verificationTime = new Date(), opts = { trustRootWhenNoAnchors: false }, }) {
+    const { trustRootWhenNoAnchors = false } = opts;
+    const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors;
+    if (pemOrDerChain.length === 0) {
+        return {
+            error: true,
+            critical: true,
+            message: 'Certificate chain in DER or PEM format must not be empty',
+            verificationTime,
+        };
+    }
+    const certs = pemOrDerChain.map(x509_utils_1.pemOrDerToX509Certificate);
+    const trustedCerts = trustedPEMs ? trustedPEMs.map(x509_utils_1.pemOrDerToX509Certificate) : undefined;
+    defaultCryptoEngine();
+    const validationEngine = new pkijs_1.CertificateChainValidationEngine({
+        certs /*crls: [crl1],   ocsps: [ocsp1], */,
+        checkDate: verificationTime,
+        trustedCerts,
+    });
+    const verification = yield validationEngine.verify();
+    if (!verification.result || !verification.certificatePath) {
+        return {
+            error: true,
+            critical: true,
+            message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
+            verificationTime,
+        };
+    }
+    const subtle = (0, pkijs_1.getCrypto)(true).subtle;
+    const certPath = verification.certificatePath;
+    const certInfos = yield Promise.all(certPath.map((certificate) => __awaiter(void 0, void 0, void 0, function* () {
+        const pk = yield certificate.getPublicKey();
+        return {
+            issuer: { dn: (0, exports.getIssuerDN)(certificate) },
+            subject: { dn: (0, exports.getSubjectDN)(certificate) },
+            publicKeyJWK: yield subtle.exportKey('jwk', pk),
+            notBefore: certificate.notBefore.value,
+            notAfter: certificate.notAfter.value,
+            // certificate
+        };
+    })));
+    return {
+        error: false,
+        critical: false,
+        message: `Certificate chain was valid`,
+        verificationTime,
+        certificateChain: certInfos,
+    };
+});
+exports.validateX509CertificateChain = validateX509CertificateChain;
+const rdnmap = {
+    '2.5.4.6': 'C',
+    '2.5.4.10': 'O',
+    '2.5.4.11': 'OU',
+    '2.5.4.3': 'CN',
+    '2.5.4.7': 'L',
+    '2.5.4.8': 'ST',
+    '2.5.4.12': 'T',
+    '2.5.4.42': 'GN',
+    '2.5.4.43': 'I',
+    '2.5.4.4': 'SN',
+    '1.2.840.113549.1.9.1': 'E-mail',
+};
+const getIssuerDN = (cert) => {
+    return {
+        DN: getDNString(cert.issuer.typesAndValues),
+        attributes: getDNObject(cert.issuer.typesAndValues),
+    };
+};
+exports.getIssuerDN = getIssuerDN;
+const getSubjectDN = (cert) => {
+    return {
+        DN: getDNString(cert.subject.typesAndValues),
+        attributes: getDNObject(cert.subject.typesAndValues),
+    };
+};
+exports.getSubjectDN = getSubjectDN;
+const getDNObject = (typesAndValues) => {
+    var _a;
+    const DN = {};
+    for (const typeAndValue of typesAndValues) {
+        const type = (_a = rdnmap[typeAndValue.type]) !== null && _a !== void 0 ? _a : typeAndValue.type;
+        DN[type] = typeAndValue.value.getValue();
+    }
+    return DN;
+};
+const getDNString = (typesAndValues) => {
+    return Object.entries(getDNObject(typesAndValues))
+        .map(([key, value]) => `${key}=${value}`)
+        .join(',');
+};
+//# sourceMappingURL=x509-validator.js.map

package/dist/x509/x509-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x509-validator.js","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,iCAAgI;AAChI,6CAAwD;AA4BxD,MAAM,mBAAmB,GAAG,GAAG,EAAE;IAC/B,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,UAAU,GAAG,WAAW,CAAA;YAC5B,IAAI,cAAc,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAClC,UAAU,GAAG,QAAQ,CAAA;YACvB,CAAC;YACD,IAAA,iBAAS,EAAC,UAAU,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;QAC/E,CAAC;IACH,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,WAAW,IAAI,MAAM,EAAE,CAAC;QAClE,MAAM,IAAI,GAAG,YAAY,CAAA;QACzB,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAA;QACnC,aAAa;QACb,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,CAAA;IACjE,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACjF,MAAM,IAAI,GAAG,QAAQ,CAAA;QACrB,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC,CAAA;AACD;;;;;;GAMG;AACI,MAAM,4BAA4B,GAAG,KAUV,EAAE,4CAVe,EACjD,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,GAAG,IAAI,IAAI,EAAE,EAC7B,IAAI,GAAG,EAAE,sBAAsB,EAAE,KAAK,EAAE,GAMzC;IACC,MAAM,EAAE,sBAAsB,GAAG,KAAK,EAAE,GAAG,IAAI,CAAA;IAC/C,MAAM,WAAW,GAAG,sBAAsB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAA;IAEtH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,0DAA0D;YACnE,gBAAgB;SACjB,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,sCAAyB,CAAC,CAAA;IAC1D,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,sCAAyB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACzF,mBAAmB,EAAE,CAAA;IAErB,MAAM,gBAAgB,GAAG,IAAI,wCAAgC,CAAC;QAC5D,KAAK,CAAC,oCAAoC;QAC1C,SAAS,EAAE,gBAAgB;QAC3B,YAAY;KACb,CAAC,CAAA;IAEF,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,CAAA;IACpD,IAAI,CAAC,YAAY,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC1D,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,YAAY,CAAC,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,sCAAsC;YAChH,gBAAgB;SACjB,CAAA;IACH,CAAC;IACD,MAAM,MAAM,GAAG,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAC,MAAM,CAAA;IACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,eAAe,CAAA;IAC7C,MAAM,SAAS,GAAoB,MAAM,OAAO,CAAC,GAAG,CAClD,QAAQ,CAAC,GAAG,CAAC,CAAO,WAAW,EAAE,EAAE;QACjC,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;QAC3C,OAAO;YACL,MAAM,EAAE,EAAE,EAAE,EAAE,IAAA,mBAAW,EAAC,WAAW,CAAC,EAAE;YACxC,OAAO,EAAE,EAAE,EAAE,EAAE,IAAA,oBAAY,EAAC,WAAW,CAAC,EAAE;YAC1C,YAAY,EAAE,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC/C,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK;YACtC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,KAAK;YACpC,cAAc;SACI,CAAA;IACtB,CAAC,CAAA,CAAC,CACH,CAAA;IACD,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,6BAA6B;QACtC,gBAAgB;QAChB,gBAAgB,EAAE,SAAS;KAC5B,CAAA;AACH,CAAC,CAAA,CAAA;AAhEY,QAAA,4BAA4B,gCAgExC;AAED,MAAM,MAAM,GAA2B;IACrC,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,GAAG;IACd,SAAS,EAAE,IAAI;IACf,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,UAAU,EAAE,GAAG;IACf,SAAS,EAAE,IAAI;IACf,sBAAsB,EAAE,QAAQ;CACjC,CAAA;AAEM,MAAM,WAAW,GAAG,CAAC,IAAiB,EAAU,EAAE;IACvD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAC3C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;KACpD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,WAAW,eAKvB;AAEM,MAAM,YAAY,GAAG,CAAC,IAAiB,EAAU,EAAE;IACxD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;KACrD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,YAAY,gBAKxB;AAED,MAAM,WAAW,GAAG,CAAC,cAAuC,EAA0B,EAAE;;IACtF,MAAM,EAAE,GAA2B,EAAE,CAAA;IACrC,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAA,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,mCAAI,YAAY,CAAC,IAAI,CAAA;QAC3D,EAAE,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC,CAAA;AACD,MAAM,WAAW,GAAG,CAAC,cAAuC,EAAU,EAAE;IACtE,OAAO,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;SAC/C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;SACxC,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC,CAAA"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@sphereon/ssi-sdk-ext.x509-utils",
+  "description": "Sphereon SSI-SDK plugin functions for X.509 Certificate handling.",
+  "version": "0.24.1-unstable.9+9d7f5c6",
+  "source": "src/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc --build",
+    "build:clean": "tsc --build --clean && tsc --build"
+  },
+  "dependencies": {
+    "@trust/keyto": "^1.0.1",
+    "debug": "^4.3.4",
+    "pkijs": "^3.2.4",
+    "uint8arrays": "^3.1.1"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.4"
+  },
+  "files": [
+    "dist/**/*",
+    "src/**/*",
+    "README.md",
+    "LICENSE"
+  ],
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": "git@github.com:Sphereon-OpenSource/ssi-sdk.git",
+  "author": "Sphereon <dev@sphereon.com>",
+  "license": "Apache-2.0",
+  "keywords": [
+    "JWK",
+    "DID",
+    "Veramo"
+  ],
+  "gitHead": "9d7f5c6eb96a1b39e7b98649a31139da604730bf"
+}

package/src/index.ts

@@ -0,0 +1,6 @@
+/**
+ *
+ * @packageDocumentation
+ */
+export * from './types'
+export * from './x509'

package/src/types/index.ts

@@ -0,0 +1,16 @@
+export enum JwkKeyUse {
+  Encryption = 'enc',
+  Signature = 'sig',
+}
+
+export type HashAlgorithm = 'SHA-256' | 'SHA-512'
+
+export type KeyVisibility = 'public' | 'private'
+
+export interface X509Opts {
+  cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.
+  privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it
+  certificatePEM?: string // Optional, as long as the certificate then is part of the certificateChainPEM
+  certificateChainURL?: string // Certificate chain URL. If used this is where the certificateChainPEM will be hosted/found.
+  certificateChainPEM?: string // Base64 (not url!) encoded DER certificate chain. Please provide even if certificateChainURL is used!
+}

package/src/x509/index.ts

@@ -0,0 +1,4 @@
+export * from './rsa-key'
+export * from './rsa-signer'
+export * from './x509-utils'
+export * from './x509-validator'

package/src/x509/rsa-key.ts

@@ -0,0 +1,81 @@
+import * as u8a from 'uint8arrays'
+import { HashAlgorithm } from '../types'
+
+import { derToPEM } from './x509-utils'
+
+export type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'
+
+export type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'
+
+const usage = (jwk: JsonWebKey): KeyUsage[] => {
+  if (jwk.key_ops && jwk.key_ops.length > 0) {
+    return jwk.key_ops as KeyUsage[]
+  }
+  if (jwk.use) {
+    const usages: KeyUsage[] = []
+    if (jwk.use.includes('sig')) {
+      usages.push('sign', 'verify')
+    } else if (jwk.use.includes('enc')) {
+      usages.push('encrypt', 'decrypt')
+    }
+    if (usages.length > 0) {
+      return usages
+    }
+  }
+  if (jwk.kty === 'RSA') {
+    if (jwk.d) {
+      return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['encrypt'] : ['sign']
+    }
+    return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['decrypt'] : ['verify']
+  }
+  // "decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey";
+  return jwk.d && jwk.kty !== 'RSA' ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify']
+}
+
+export const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {
+  const alg = signingAlg.toUpperCase()
+  let scheme: RSAEncryptionSchemes | RSASignatureSchemes
+  if (alg.startsWith('RS')) {
+    scheme = 'RSASSA-PKCS1-V1_5'
+  } else if (alg.startsWith('PS')) {
+    scheme = 'RSA-PSS'
+  } else {
+    throw Error(`Invalid signing algorithm supplied ${signingAlg}`)
+  }
+
+  const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm
+  return { scheme, hashAlgorithm }
+}
+
+export const cryptoSubtleImportRSAKey = async (
+  jwk: JsonWebKey,
+  scheme: RSAEncryptionSchemes | RSASignatureSchemes,
+  hashAlgorithm?: HashAlgorithm
+): Promise<CryptoKey> => {
+  const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'
+
+  const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }
+  return await crypto.subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))
+}
+
+export const generateRSAKeyAsPEM = async (
+  scheme: RSAEncryptionSchemes | RSASignatureSchemes,
+  hashAlgorithm?: HashAlgorithm,
+  modulusLength?: number
+): Promise<string> => {
+  const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'
+
+  const params: RsaHashedKeyGenParams = {
+    name: scheme,
+    hash: hashName,
+    modulusLength: modulusLength ? modulusLength : 2048,
+    publicExponent: new Uint8Array([1, 0, 1]),
+  }
+  const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']
+
+  const keypair = await crypto.subtle.generateKey(params, true, keyUsage)
+  const pkcs8 = await crypto.subtle.exportKey('pkcs8', keypair.privateKey)
+
+  const uint8Array = new Uint8Array(pkcs8)
+  return derToPEM(u8a.toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')
+}

package/src/x509/rsa-signer.ts

@@ -0,0 +1,80 @@
+import * as u8a from 'uint8arrays'
+import { HashAlgorithm, KeyVisibility } from '../types'
+import { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'
+import { PEMToJwk } from './x509-utils'
+
+export class RSASigner {
+  private readonly hashAlgorithm: HashAlgorithm
+  private readonly jwk: JsonWebKey
+
+  private key: CryptoKey | undefined
+  private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes
+
+  /**
+   *
+   * @param key Either in PEM or JWK format (no raw hex keys here!)
+   * @param opts The algorithm and signature/encryption schemes
+   */
+  constructor(
+    key: string | JsonWebKey,
+    opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes; visibility?: KeyVisibility }
+  ) {
+    if (typeof key === 'string') {
+      this.jwk = PEMToJwk(key, opts?.visibility)
+    } else {
+      this.jwk = key
+    }
+
+    this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'
+    this.scheme = opts?.scheme ?? 'RSA-PSS'
+  }
+
+  private getImportParams(): AlgorithmIdentifier | RsaPssParams {
+    if (this.scheme === 'RSA-PSS') {
+      return { name: this.scheme, saltLength: 32 }
+    }
+    // console.log({ name: this.scheme /*, hash: this.hashAlgorithm*/ })
+    return { name: this.scheme /*, hash: this.hashAlgorithm*/ }
+  }
+
+  private async getKey(): Promise<CryptoKey> {
+    if (!this.key) {
+      this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm)
+    }
+    return this.key
+  }
+
+  private bufferToString(buf: ArrayBuffer) {
+    const uint8Array = new Uint8Array(buf)
+    return u8a.toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!
+  }
+
+  public async sign(data: Uint8Array): Promise<string> {
+    const input = data
+    const key = await this.getKey()
+    const signature = this.bufferToString(await crypto.subtle.sign(this.getImportParams(), key, input))
+    if (!signature) {
+      throw Error('Could not sign input data')
+    }
+
+    //  base64url signature
+    return signature
+  }
+
+  public async verify(data: string | Uint8Array, signature: string): Promise<boolean> {
+    const jws = signature.includes('.') ? signature.split('.')[2] : signature
+
+    const input = typeof data == 'string' ? u8a.fromString(data, 'utf-8') : data
+
+    let key = await this.getKey()
+    if (!key.usages.includes('verify')) {
+      const verifyJwk = { ...this.jwk }
+      delete verifyJwk.d
+      delete verifyJwk.use
+      delete verifyJwk.key_ops
+      key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm)
+    }
+    const verificationResult = await crypto.subtle.verify(this.getImportParams(), key, u8a.fromString(jws, 'base64url'), input)
+    return verificationResult
+  }
+}