@sphereon/ssi-sdk-ext.x509-utils 0.24.1-unstable.9

package/src/x509/x509-utils.ts

@@ -0,0 +1,165 @@
+import { Certificate } from 'pkijs'
+import * as u8a from 'uint8arrays'
+// @ts-ignore
+import keyto from '@trust/keyto'
+import { KeyVisibility } from '../types'
+
+// Based on (MIT licensed):
+// https://github.com/hildjj/node-posh/blob/master/lib/index.js
+export function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {
+  if (!maxDepth) {
+    maxDepth = 0
+  }
+  /*
+   * Convert a PEM-encoded certificate to the version used in the x5c element
+   * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).
+   *
+   * `cert` PEM-encoded certificate chain
+   * `maxdepth` The maximum number of certificates to use from the chain.
+   */
+
+  const intermediate = cert
+    .replace(/-----[^\n]+\n?/gm, ',')
+    .replace(/\n/g, '')
+    .replace(/\r/g, '')
+  let x5c = intermediate.split(',').filter(function (c) {
+    return c.length > 0
+  })
+  if (maxDepth > 0) {
+    x5c = x5c.splice(0, maxDepth)
+  }
+  return x5c
+}
+
+export function x5cToPemCertChain(x5c: string[], maxDepth?: number): string {
+  if (!maxDepth) {
+    maxDepth = 0
+  }
+  const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length)
+  let pem = ''
+  for (let i = 0; i < length; i++) {
+    pem += derToPEM(x5c[i], 'CERTIFICATE')
+  }
+  return pem
+}
+
+export const pemOrDerToX509Certificate = (cert: string | Uint8Array): Certificate => {
+  if (typeof cert !== 'string') {
+    return Certificate.fromBER(cert)
+  }
+  let DER = cert
+  if (cert.includes('CERTIFICATE')) {
+    DER = PEMToDer(cert)
+  }
+  return Certificate.fromBER(u8a.fromString(DER, 'base64pad'))
+}
+
+export const areCertificatesEqual = (cert1: Certificate, cert2: Certificate): boolean => {
+  return cert1.signatureValue.isEqual(cert2.signatureValue)
+}
+
+export const toKeyObject = (PEM: string, visibility: KeyVisibility = 'public') => {
+  const jwk = PEMToJwk(PEM, visibility)
+  const keyVisibility: KeyVisibility = jwk.d ? 'private' : 'public'
+  const keyHex = keyVisibility === 'private' ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM)
+
+  return {
+    pem: hexToPEM(keyHex, visibility),
+    jwk,
+    keyHex,
+    keyType: keyVisibility,
+  }
+}
+
+export const jwkToPEM = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {
+  return keyto.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8')
+}
+
+export const PEMToJwk = (pem: string, visibility: KeyVisibility = 'public'): JsonWebKey => {
+  return keyto.from(pem, 'pem').toJwk(visibility)
+}
+export const privateKeyHexFromPEM = (PEM: string) => {
+  return PEMToHex(PEM)
+}
+
+export const hexKeyFromPEMBasedJwk = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {
+  if (visibility === 'private') {
+    return privateKeyHexFromPEM(jwkToPEM(jwk, 'private'))
+  } else {
+    return publicKeyHexFromPEM(jwkToPEM(jwk, 'public'))
+  }
+}
+
+export const publicKeyHexFromPEM = (PEM: string) => {
+  const hex = PEMToHex(PEM)
+  if (PEM.includes('CERTIFICATE')) {
+    throw Error('Cannot directly deduce public Key from PEM Certificate yet')
+  } else if (!PEM.includes('PRIVATE')) {
+    return hex
+  }
+  const publicJwk = PEMToJwk(PEM, 'public')
+  const publicPEM = jwkToPEM(publicJwk, 'public')
+  return PEMToHex(publicPEM)
+}
+
+export const PEMToHex = (PEM: string, headerKey?: string): string => {
+  if (PEM.indexOf('-----BEGIN ') == -1) {
+    throw Error(`PEM header not found: ${headerKey}`)
+  }
+
+  let strippedPem: string
+  if (headerKey) {
+    strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '')
+    strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '')
+  } else {
+    strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '')
+    strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '')
+  }
+  return base64ToHex(strippedPem, 'base64pad')
+}
+
+/**
+ * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines
+ * @param input The input in base64, with optional newlines
+ * @param inputEncoding
+ */
+export const base64ToHex = (input: string, inputEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad') => {
+  const base64NoNewlines = input.replace(/[^0-9A-Za-z_\-~\/+=]*/g, '')
+  return u8a.toString(u8a.fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16')
+}
+
+export const hexToBase64 = (input: number | object | string, targetEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad'): string => {
+  let hex = typeof input === 'string' ? input : input.toString(16)
+  if (hex.length % 2 === 1) {
+    hex = `0${hex}`
+  }
+  return u8a.toString(u8a.fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad')
+}
+
+export const hexToPEM = (hex: string, type: KeyVisibility): string => {
+  const base64 = hexToBase64(hex, 'base64pad')
+  const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY'
+  if (type === 'private') {
+    const pem = derToPEM(base64, headerKey)
+    try {
+      PEMToJwk(pem) // We only use it to test the private key
+      return pem
+    } catch (error) {
+      return derToPEM(base64, 'PRIVATE KEY')
+    }
+  }
+  return derToPEM(base64, headerKey)
+}
+
+export function PEMToDer(pem: string): string {
+  return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\n\r])/g, '')
+}
+
+export function derToPEM(cert: string, headerKey?: 'PUBLIC KEY' | 'RSA PRIVATE KEY' | 'PRIVATE KEY' | 'CERTIFICATE'): string {
+  const key = headerKey ?? 'CERTIFICATE'
+  const matches = cert.match(/.{1,64}/g)
+  if (!matches) {
+    throw Error('Invalid cert input value supplied')
+  }
+  return `-----BEGIN ${key}-----\n${matches.join('\n')}\n-----END ${key}-----\n`
+}

package/src/x509/x509-validator.ts

@@ -0,0 +1,162 @@
+import { AttributeTypeAndValue, Certificate, CertificateChainValidationEngine, CryptoEngine, getCrypto, setEngine } from 'pkijs'
+import { pemOrDerToX509Certificate } from './x509-utils'
+
+export type DNInfo = {
+  DN: string
+  attributes: Record<string, string>
+}
+
+export type CertInfo = {
+  certificate?: Certificate
+  notBefore: Date
+  notAfter: Date
+  publicKeyJWK?: any
+  issuer: {
+    dn: DNInfo
+  }
+  subject: {
+    dn: DNInfo
+  }
+}
+
+export type X509ValidationResult = {
+  error: boolean
+  critical: boolean
+  message: string
+  verificationTime: Date
+  certificateChain?: Array<CertInfo>
+}
+
+const defaultCryptoEngine = () => {
+  if (typeof self !== 'undefined') {
+    if ('crypto' in self) {
+      let engineName = 'webcrypto'
+      if ('webkitSubtle' in self.crypto) {
+        engineName = 'safari'
+      }
+      setEngine(engineName, new CryptoEngine({ name: engineName, crypto: crypto }))
+    }
+  } else if (typeof crypto !== 'undefined' && 'webcrypto' in crypto) {
+    const name = 'NodeJS ^15'
+    const nodeCrypto = crypto.webcrypto
+    // @ts-ignore
+    setEngine(name, new CryptoEngine({ name, crypto: nodeCrypto }))
+  } else if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
+    const name = 'crypto'
+    setEngine(name, new CryptoEngine({ name, crypto: crypto }))
+  }
+}
+/**
+ *
+ * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
+ * @param trustedPEMs
+ * @param verificationTime
+ * @param opts
+ */
+export const validateX509CertificateChain = async ({
+  chain: pemOrDerChain,
+  trustAnchors,
+  verificationTime = new Date(),
+  opts = { trustRootWhenNoAnchors: false },
+}: {
+  chain: (Uint8Array | string)[]
+  trustAnchors?: string[]
+  verificationTime?: Date
+  opts?: { trustRootWhenNoAnchors: boolean }
+}): Promise<X509ValidationResult> => {
+  const { trustRootWhenNoAnchors = false } = opts
+  const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
+
+  if (pemOrDerChain.length === 0) {
+    return {
+      error: true,
+      critical: true,
+      message: 'Certificate chain in DER or PEM format must not be empty',
+      verificationTime,
+    }
+  }
+
+  const certs = pemOrDerChain.map(pemOrDerToX509Certificate)
+  const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
+  defaultCryptoEngine()
+
+  const validationEngine = new CertificateChainValidationEngine({
+    certs /*crls: [crl1],   ocsps: [ocsp1], */,
+    checkDate: verificationTime,
+    trustedCerts,
+  })
+
+  const verification = await validationEngine.verify()
+  if (!verification.result || !verification.certificatePath) {
+    return {
+      error: true,
+      critical: true,
+      message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
+      verificationTime,
+    }
+  }
+  const subtle = getCrypto(true).subtle
+  const certPath = verification.certificatePath
+  const certInfos: Array<CertInfo> = await Promise.all(
+    certPath.map(async (certificate) => {
+      const pk = await certificate.getPublicKey()
+      return {
+        issuer: { dn: getIssuerDN(certificate) },
+        subject: { dn: getSubjectDN(certificate) },
+        publicKeyJWK: await subtle.exportKey('jwk', pk),
+        notBefore: certificate.notBefore.value,
+        notAfter: certificate.notAfter.value,
+        // certificate
+      } satisfies CertInfo
+    })
+  )
+  return {
+    error: false,
+    critical: false,
+    message: `Certificate chain was valid`,
+    verificationTime,
+    certificateChain: certInfos,
+  }
+}
+
+const rdnmap: Record<string, string> = {
+  '2.5.4.6': 'C',
+  '2.5.4.10': 'O',
+  '2.5.4.11': 'OU',
+  '2.5.4.3': 'CN',
+  '2.5.4.7': 'L',
+  '2.5.4.8': 'ST',
+  '2.5.4.12': 'T',
+  '2.5.4.42': 'GN',
+  '2.5.4.43': 'I',
+  '2.5.4.4': 'SN',
+  '1.2.840.113549.1.9.1': 'E-mail',
+}
+
+export const getIssuerDN = (cert: Certificate): DNInfo => {
+  return {
+    DN: getDNString(cert.issuer.typesAndValues),
+    attributes: getDNObject(cert.issuer.typesAndValues),
+  }
+}
+
+export const getSubjectDN = (cert: Certificate): DNInfo => {
+  return {
+    DN: getDNString(cert.subject.typesAndValues),
+    attributes: getDNObject(cert.subject.typesAndValues),
+  }
+}
+
+const getDNObject = (typesAndValues: AttributeTypeAndValue[]): Record<string, string> => {
+  const DN: Record<string, string> = {}
+  for (const typeAndValue of typesAndValues) {
+    const type = rdnmap[typeAndValue.type] ?? typeAndValue.type
+    DN[type] = typeAndValue.value.getValue()
+  }
+  return DN
+}
+const getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {
+  return Object.entries(getDNObject(typesAndValues))
+    .map(([key, value]) => `${key}=${value}`)
+    .join(',')
+}