@sphereon/ssi-sdk-ext.x509-utils 0.26.1-feature.SPRIND.124.esim.31 → 0.26.1-feature.SPRIND.124.esim.47
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/x509/crypto.d.ts.map +1 -1
- package/dist/x509/crypto.js.map +1 -1
- package/dist/x509/rsa-key.d.ts.map +1 -1
- package/dist/x509/rsa-key.js.map +1 -1
- package/dist/x509/rsa-signer.js.map +1 -1
- package/dist/x509/x509-validator.d.ts +3 -15
- package/dist/x509/x509-validator.d.ts.map +1 -1
- package/dist/x509/x509-validator.js +166 -83
- package/dist/x509/x509-validator.js.map +1 -1
- package/package.json +2 -2
- package/src/x509/crypto.ts +16 -17
- package/src/x509/rsa-key.ts +1 -2
- package/src/x509/rsa-signer.ts +1 -1
- package/src/x509/x509-validator.ts +195 -155
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/x509/crypto.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/x509/crypto.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,YAAY,cAAe,OAAO,mBAAmB,MAAM,KAAG,MAkB1E,CAAA"}
|
package/dist/x509/crypto.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/x509/crypto.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/x509/crypto.ts"],"names":[],"mappings":";;;AAAO,MAAM,YAAY,GAAG,CAAC,SAAkB,EAAE,cAAuB,EAAU,EAAE;;IAClF,IAAI,SAAiB,CAAA;IACrB,IAAI,OAAO,cAAc,KAAK,WAAW,EAAE,CAAC;QAC1C,SAAS,GAAG,cAAc,CAAA;IAC5B,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QACzC,SAAS,GAAG,MAAM,CAAA;IACpB,CAAC;SAAM,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QAChD,SAAS,GAAG,MAAM,CAAC,MAAM,CAAA;IAC3B,CAAC;SAAM,IAAI,OAAO,CAAA,MAAA,MAAA,MAAM,CAAC,MAAM,0CAAE,MAAM,0CAAE,MAAM,CAAA,KAAK,WAAW,EAAE,CAAC;QAChE,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAA;IAClC,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAW,CAAA;IACzC,CAAC;IACD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,CAAC,MAAM,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC,CAAA;AAlBY,QAAA,YAAY,gBAkBxB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rsa-key.d.ts","sourceRoot":"","sources":["../../src/x509/rsa-key.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAKxC,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,GAAG,SAAS,CAAA;AAEjE,MAAM,MAAM,oBAAoB,GAAG,kBAAkB,GAAG,YAAY,CAAA;AA2BpE,eAAO,MAAM,+BAA+B,eAAgB,MAAM;;;CAajE,CAAA;AAED,eAAO,MAAM,wBAAwB,QAC9B,UAAU,UACP,oBAAoB,GAAG,mBAAmB,kBAClC,aAAa,KAC5B,OAAO,CAAC,SAAS,CAKnB,CAAA;
|
|
1
|
+
{"version":3,"file":"rsa-key.d.ts","sourceRoot":"","sources":["../../src/x509/rsa-key.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAKxC,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,GAAG,SAAS,CAAA;AAEjE,MAAM,MAAM,oBAAoB,GAAG,kBAAkB,GAAG,YAAY,CAAA;AA2BpE,eAAO,MAAM,+BAA+B,eAAgB,MAAM;;;CAajE,CAAA;AAED,eAAO,MAAM,wBAAwB,QAC9B,UAAU,UACP,oBAAoB,GAAG,mBAAmB,kBAClC,aAAa,KAC5B,OAAO,CAAC,SAAS,CAKnB,CAAA;AAED,eAAO,MAAM,mBAAmB,WACtB,oBAAoB,GAAG,mBAAmB,kBAClC,aAAa,kBACb,MAAM,KACrB,OAAO,CAAC,MAAM,CAgBhB,CAAA"}
|
package/dist/x509/rsa-key.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rsa-key.js","sourceRoot":"","sources":["../../src/x509/rsa-key.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,
|
|
1
|
+
{"version":3,"file":"rsa-key.js","sourceRoot":"","sources":["../../src/x509/rsa-key.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,qCAAuC;AAEvC,6CAAuC;AAMvC,MAAM,KAAK,GAAG,CAAC,GAAe,EAAc,EAAE;;IAC5C,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,GAAG,CAAC,OAAqB,CAAA;IAClC,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,MAAM,GAAe,EAAE,CAAA;QAC7B,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QACnC,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,MAAM,CAAA;QACf,CAAC;IACH,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QACtB,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;YACV,OAAO,CAAA,MAAA,MAAA,GAAG,CAAC,GAAG,0CAAE,WAAW,EAAE,0CAAE,QAAQ,CAAC,MAAM,CAAC,EAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,CAAA,MAAA,MAAA,GAAG,CAAC,GAAG,0CAAE,WAAW,EAAE,0CAAE,QAAQ,CAAC,MAAM,CAAC,EAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;IAC5E,CAAC;IACD,oGAAoG;IACpG,OAAO,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;AAC3F,CAAC,CAAA;AAEM,MAAM,+BAA+B,GAAG,CAAC,UAAkB,EAAE,EAAE;IACpE,MAAM,GAAG,GAAG,UAAU,CAAC,WAAW,EAAE,CAAA;IACpC,IAAI,MAAkD,CAAA;IACtD,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,mBAAmB,CAAA;IAC9B,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,GAAG,SAAS,CAAA;IACpB,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,CAAC,sCAAsC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAmB,CAAA;IAChE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;AAClC,CAAC,CAAA;AAbY,QAAA,+BAA+B,mCAa3C;AAEM,MAAM,wBAAwB,GAAG,CACtC,GAAe,EACf,MAAkD,EAClD,aAA6B,EACT,EAAE;IACtB,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IAEpG,MAAM,YAAY,GAA0B,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IAC5E,OAAO,MAAM,IAAA,qBAAY,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAiB,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;AAC9G,CAAC,CAAA,CAAA;AATY,QAAA,wBAAwB,4BASpC;AAEM,MAAM,mBAAmB,GAAG,CACjC,MAAkD,EAClD,aAA6B,EAC7B,aAAsB,EACL,EAAE;IACnB,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAA;IAE1D,MAAM,MAAM,GAA0B;QACpC,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,QAAQ;QACd,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI;QACnD,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;KAC1C,CAAA;IACD,MAAM,QAAQ,GAAe,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,mBAAmB,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;IAEjI,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAA;IACpF,MAAM,KAAK,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAA;IAErF,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;IACxC,OAAO,IAAA,qBAAQ,EAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,iBAAiB,CAAC,CAAA;AAC3E,CAAC,CAAA,CAAA;AApBY,QAAA,mBAAmB,uBAoB/B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rsa-signer.js","sourceRoot":"","sources":["../../src/x509/rsa-signer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,
|
|
1
|
+
{"version":3,"file":"rsa-signer.js","sourceRoot":"","sources":["../../src/x509/rsa-signer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAkC;AAElC,qCAAuC;AACvC,uCAA+F;AAC/F,6CAAuC;AAEvC,MAAa,SAAS;IAOpB;;;;OAIG;IACH,YACE,GAAwB,EACxB,IAAyH;;QAEzH,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,GAAG,IAAA,qBAAQ,EAAC,GAAG,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,UAAU,CAAC,CAAA;QAC5C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;QAChB,CAAC;QAED,IAAI,CAAC,aAAa,GAAG,MAAA,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,aAAa,mCAAI,SAAS,CAAA;QACrD,IAAI,CAAC,MAAM,GAAG,MAAA,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,MAAM,mCAAI,SAAS,CAAA;IACzC,CAAC;IAEO,eAAe;QACrB,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,CAAA;QAC9C,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAAA;IAC7D,CAAC;IAEa,MAAM;;YAClB,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACd,IAAI,CAAC,GAAG,GAAG,MAAM,IAAA,kCAAwB,EAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,CAAA;YACtF,CAAC;YACD,OAAO,IAAI,CAAC,GAAG,CAAA;QACjB,CAAC;KAAA;IAEO,cAAc,CAAC,GAAgB;QACrC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;QACtC,OAAO,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA,CAAC,gEAAgE;IAC/G,CAAC;IAEY,IAAI,CAAC,IAAgB;;YAChC,MAAM,KAAK,GAAG,IAAI,CAAA;YAClB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAA;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,IAAA,qBAAY,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YAChH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,KAAK,CAAC,2BAA2B,CAAC,CAAA;YAC1C,CAAC;YAED,uBAAuB;YACvB,OAAO,SAAS,CAAA;QAClB,CAAC;KAAA;IAEY,MAAM,CAAC,IAAyB,EAAE,SAAiB;;YAC9D,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;YAEzE,MAAM,KAAK,GAAG,OAAO,IAAI,IAAI,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YAE5E,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAA;YAC7B,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACnC,MAAM,SAAS,qBAAQ,IAAI,CAAC,GAAG,CAAE,CAAA;gBACjC,OAAO,SAAS,CAAC,CAAC,CAAA;gBAClB,OAAO,SAAS,CAAC,GAAG,CAAA;gBACpB,OAAO,SAAS,CAAC,OAAO,CAAA;gBACxB,GAAG,GAAG,MAAM,IAAA,kCAAwB,EAAC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,CAAA;YAClF,CAAC;YACD,MAAM,kBAAkB,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,KAAK,CAAC,CAAA;YACxI,OAAO,kBAAkB,CAAA;QAC3B,CAAC;KAAA;CACF;AAzED,8BAyEC"}
|
|
@@ -36,6 +36,7 @@ export declare const getCertificateInfo: (certificate: Certificate, opts?: {
|
|
|
36
36
|
sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[];
|
|
37
37
|
}) => Promise<CertificateInfo>;
|
|
38
38
|
export type X509CertificateChainValidationOpts = {
|
|
39
|
+
allowNoTrustAnchorsFound?: boolean;
|
|
39
40
|
trustRootWhenNoAnchors?: boolean;
|
|
40
41
|
allowSingleNoCAChainElement?: boolean;
|
|
41
42
|
blindlyTrustedAnchors?: string[];
|
|
@@ -54,7 +55,7 @@ export declare const validateX509CertificateChain: ({ chain: pemOrDerChain, trus
|
|
|
54
55
|
export declare const getX509AlgorithmProvider: () => AlgorithmProvider;
|
|
55
56
|
export type ParsedCertificate = {
|
|
56
57
|
publicKeyInfo: SubjectPublicKeyInfo;
|
|
57
|
-
publicKeyJwk
|
|
58
|
+
publicKeyJwk?: JWK;
|
|
58
59
|
publicKeyRaw: Uint8Array;
|
|
59
60
|
publicKeyAlgorithm: Algorithm;
|
|
60
61
|
certificateInfo: CertificateInfo;
|
|
@@ -62,22 +63,9 @@ export type ParsedCertificate = {
|
|
|
62
63
|
x509Certificate: X509Certificate;
|
|
63
64
|
};
|
|
64
65
|
export declare const parseCertificate: (rawCert: string | Uint8Array) => Promise<ParsedCertificate>;
|
|
65
|
-
/**
|
|
66
|
-
*
|
|
67
|
-
* @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
|
|
68
|
-
* @param trustedPEMs
|
|
69
|
-
* @param verificationTime
|
|
70
|
-
* @param opts
|
|
71
|
-
*/
|
|
72
|
-
export declare const validateX509CertificateChainOrg: ({ chain: pemOrDerChain, trustAnchors, verificationTime, opts, }: {
|
|
73
|
-
chain: (Uint8Array | string)[];
|
|
74
|
-
trustAnchors?: string[];
|
|
75
|
-
verificationTime?: Date;
|
|
76
|
-
opts?: X509CertificateChainValidationOpts;
|
|
77
|
-
}) => Promise<X509ValidationResult>;
|
|
78
66
|
export declare const getIssuerDN: (cert: Certificate) => DNInfo;
|
|
79
67
|
export declare const getSubjectDN: (cert: Certificate) => DNInfo;
|
|
80
|
-
export declare const getCertificateSubjectPublicKeyJWK: (pemOrDerCert: string | Uint8Array | Certificate) => Promise<
|
|
68
|
+
export declare const getCertificateSubjectPublicKeyJWK: (pemOrDerCert: string | Uint8Array | Certificate) => Promise<JWK>;
|
|
81
69
|
/**
|
|
82
70
|
* otherName [0] OtherName,
|
|
83
71
|
* rfc822Name [1] IA5String,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"x509-validator.d.ts","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC1D,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEnE,OAAO,EAAE,GAAG,EAAE,MAAM,qBAAqB,CAAA;AAEzC,OAAO,
|
|
1
|
+
{"version":3,"file":"x509-validator.d.ts","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC1D,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEnE,OAAO,EAAE,GAAG,EAAE,MAAM,qBAAqB,CAAA;AAEzC,OAAO,EAAkC,WAAW,EAAyD,MAAM,OAAO,CAAA;AAM1H,MAAM,MAAM,MAAM,GAAG;IACnB,EAAE,EAAE,MAAM,CAAA;IACV,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACnC,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,WAAW,CAAC,EAAE,GAAG,CAAA;IACjB,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,IAAI,CAAA;IACd,YAAY,CAAC,EAAE,GAAG,CAAA;IAClB,MAAM,EAAE;QACN,EAAE,EAAE,MAAM,CAAA;KACX,CAAA;IACD,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAA;QACV,uBAAuB,EAAE,sBAAsB,EAAE,CAAA;KAClD,CAAA;CACF,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,OAAO,CAAA;IACd,QAAQ,EAAE,OAAO,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,gBAAgB,EAAE,IAAI,CAAA;IACtB,gBAAgB,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,CAAA;IACzC,WAAW,CAAC,EAAE,eAAe,CAAA;IAC7B,MAAM,CAAC,EAAE;QAEP,QAAQ,EAAE,MAAM,CAAA;QAChB,cAAc,EAAE,cAAc,CAAA;KAC/B,CAAA;CACF,CAAA;AAQD,eAAO,MAAM,kBAAkB,gBAChB,WAAW,SACjB;IACL,aAAa,EAAE,6BAA6B,GAAG,6BAA6B,EAAE,CAAA;CAC/E,KACA,OAAO,CAAC,eAAe,CAgBzB,CAAA;AAED,MAAM,MAAM,kCAAkC,GAAG;IAE/C,wBAAwB,CAAC,EAAE,OAAO,CAAA;IAGlC,sBAAsB,CAAC,EAAE,OAAO,CAAA;IAEhC,2BAA2B,CAAC,EAAE,OAAO,CAAA;IAGrC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAA;IAEhC,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B,MAAM,CAAC,EAAE;QAEP,QAAQ,EAAE,MAAM,CAAA;QAChB,cAAc,EAAE,cAAc,CAAA;KAC/B,CAAA;CACF,CAAA;AAED,eAAO,MAAM,4BAA4B,oEAYtC;IACD,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAA;IAC9B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,gBAAgB,CAAC,EAAE,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,kCAAkC,CAAA;CAC1C,KAAG,OAAO,CAAC,oBAAoB,CAS/B,CAAA;AAiLD,eAAO,MAAM,wBAAwB,QAAO,iBAE3C,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,aAAa,EAAE,oBAAoB,CAAA;IACnC,YAAY,CAAC,EAAE,GAAG,CAAA;IAClB,YAAY,EAAE,UAAU,CAAA;IACxB,kBAAkB,EAAE,SAAS,CAAA;IAC7B,eAAe,EAAE,eAAe,CAAA;IAChC,WAAW,EAAE,WAAW,CAAA;IACxB,eAAe,EAAE,eAAe,CAAA;CACjC,CAAA;AAED,eAAO,MAAM,gBAAgB,YAAmB,MAAM,GAAG,UAAU,KAAG,OAAO,CAAC,iBAAiB,CAsB9F,CAAA;AAwJD,eAAO,MAAM,WAAW,SAAU,WAAW,KAAG,MAK/C,CAAA;AAED,eAAO,MAAM,YAAY,SAAU,WAAW,KAAG,MAKhD,CAAA;AAgBD,eAAO,MAAM,iCAAiC,iBAAwB,MAAM,GAAG,UAAU,GAAG,WAAW,KAAG,OAAO,CAAC,GAAG,CA4BpH,CAAA;AAED;;;;;;;;;;GAUG;AACH,oBAAY,6BAA6B;IACvC,UAAU,IAAI,CAAE,QAAQ;IACxB,OAAO,IAAI;IACX,yBAAyB,IAAI;IAC7B,SAAS,IAAI;CACd;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,6BAA6B,CAAA;CACpC;AAED,MAAM,MAAM,cAAc,GAAG,cAAc,GAAG,cAAc,CAAA;AAE5D,eAAO,MAAM,sCAAsC,gBAAiB,WAAW,YAAY,MAAM,kBAAkB,cAAc,KAAG,IAUnI,CAAA;AAED,eAAO,MAAM,6CAA6C,gBAC3C,WAAW,YACd,MAAM,kBACA,cAAc,KAC7B,OAAO,CAAC,oBAAoB,CAoB9B,CAAA;AAED,eAAO,MAAM,0BAA0B,gBACxB,WAAW,SACjB;IACL,UAAU,CAAC,EAAE,6BAA6B,GAAG,6BAA6B,EAAE,CAAA;IAE5E,oBAAoB,CAAC,EAAE,cAAc,CAAA;CACtC,KACA,sBAAsB,EAsBxB,CAAA"}
|
|
@@ -35,7 +35,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
35
35
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
36
36
|
};
|
|
37
37
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
38
|
-
exports.getSubjectAlternativeNames = exports.validateCertificateChainMatchesClientIdScheme = exports.assertCertificateMatchesClientIdScheme = exports.SubjectAlternativeGeneralName = exports.getCertificateSubjectPublicKeyJWK = exports.getSubjectDN = exports.getIssuerDN = exports.
|
|
38
|
+
exports.getSubjectAlternativeNames = exports.validateCertificateChainMatchesClientIdScheme = exports.assertCertificateMatchesClientIdScheme = exports.SubjectAlternativeGeneralName = exports.getCertificateSubjectPublicKeyJWK = exports.getSubjectDN = exports.getIssuerDN = exports.parseCertificate = exports.getX509AlgorithmProvider = exports.validateX509CertificateChain = exports.getCertificateInfo = void 0;
|
|
39
39
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
40
40
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
41
41
|
const x509_1 = require("@peculiar/x509");
|
|
@@ -43,37 +43,26 @@ const js_x509_utils_1 = __importDefault(require("js-x509-utils"));
|
|
|
43
43
|
const pkijs_1 = require("pkijs");
|
|
44
44
|
const tsyringe_1 = require("tsyringe");
|
|
45
45
|
const u8a = __importStar(require("uint8arrays"));
|
|
46
|
+
const crypto_1 = require("./crypto");
|
|
46
47
|
const x509_utils_1 = require("./x509-utils");
|
|
47
48
|
const defaultCryptoEngine = () => {
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
if ('webkitSubtle' in self.crypto) {
|
|
52
|
-
engineName = 'safari';
|
|
53
|
-
}
|
|
54
|
-
(0, pkijs_1.setEngine)(engineName, new pkijs_1.CryptoEngine({ name: engineName, crypto: crypto }));
|
|
55
|
-
}
|
|
56
|
-
}
|
|
57
|
-
else if (typeof crypto !== 'undefined' && 'webcrypto' in crypto) {
|
|
58
|
-
const name = 'NodeJS ^15';
|
|
59
|
-
const nodeCrypto = crypto.webcrypto;
|
|
60
|
-
// @ts-ignore
|
|
61
|
-
(0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: nodeCrypto }));
|
|
62
|
-
}
|
|
63
|
-
else if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
|
|
64
|
-
const name = 'crypto';
|
|
65
|
-
(0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: crypto }));
|
|
66
|
-
}
|
|
49
|
+
const name = 'crypto';
|
|
50
|
+
(0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: (0, crypto_1.globalCrypto)(false) }));
|
|
51
|
+
return (0, pkijs_1.getCrypto)(true);
|
|
67
52
|
};
|
|
68
53
|
const getCertificateInfo = (certificate, opts) => __awaiter(void 0, void 0, void 0, function* () {
|
|
69
|
-
|
|
54
|
+
let publicKeyJWK;
|
|
55
|
+
try {
|
|
56
|
+
publicKeyJWK = (yield (0, exports.getCertificateSubjectPublicKeyJWK)(certificate));
|
|
57
|
+
}
|
|
58
|
+
catch (e) { }
|
|
70
59
|
return {
|
|
71
60
|
issuer: { dn: (0, exports.getIssuerDN)(certificate) },
|
|
72
61
|
subject: {
|
|
73
62
|
dn: (0, exports.getSubjectDN)(certificate),
|
|
74
63
|
subjectAlternativeNames: (0, exports.getSubjectAlternativeNames)(certificate, { typeFilter: opts === null || opts === void 0 ? void 0 : opts.sanTypeFilter }),
|
|
75
64
|
},
|
|
76
|
-
publicKeyJWK
|
|
65
|
+
publicKeyJWK,
|
|
77
66
|
notBefore: certificate.notBefore.value,
|
|
78
67
|
notAfter: certificate.notAfter.value,
|
|
79
68
|
// certificate
|
|
@@ -81,6 +70,8 @@ const getCertificateInfo = (certificate, opts) => __awaiter(void 0, void 0, void
|
|
|
81
70
|
});
|
|
82
71
|
exports.getCertificateInfo = getCertificateInfo;
|
|
83
72
|
const validateX509CertificateChain = (_a) => __awaiter(void 0, [_a], void 0, function* ({ chain: pemOrDerChain, trustAnchors, verificationTime = new Date(), opts = {
|
|
73
|
+
// If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
|
|
74
|
+
allowNoTrustAnchorsFound: false,
|
|
84
75
|
trustRootWhenNoAnchors: false,
|
|
85
76
|
allowSingleNoCAChainElement: true,
|
|
86
77
|
blindlyTrustedAnchors: [],
|
|
@@ -89,7 +80,7 @@ const validateX509CertificateChain = (_a) => __awaiter(void 0, [_a], void 0, fun
|
|
|
89
80
|
// We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain
|
|
90
81
|
return yield validateX509CertificateChainImpl({
|
|
91
82
|
reversed: false,
|
|
92
|
-
chain: pemOrDerChain.reverse(),
|
|
83
|
+
chain: [...pemOrDerChain].reverse(),
|
|
93
84
|
trustAnchors,
|
|
94
85
|
verificationTime,
|
|
95
86
|
opts,
|
|
@@ -99,7 +90,7 @@ exports.validateX509CertificateChain = validateX509CertificateChain;
|
|
|
99
90
|
const validateX509CertificateChainImpl = (_a) => __awaiter(void 0, [_a], void 0, function* ({ reversed, chain: pemOrDerChain, trustAnchors, verificationTime: verifyAt, opts, }) {
|
|
100
91
|
var _b, _c, _d, _e, _f;
|
|
101
92
|
const verificationTime = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt;
|
|
102
|
-
const { trustRootWhenNoAnchors = false, allowSingleNoCAChainElement = true, blindlyTrustedAnchors = [], disallowReversedChain = false, client, } = opts;
|
|
93
|
+
const { allowNoTrustAnchorsFound = false, trustRootWhenNoAnchors = false, allowSingleNoCAChainElement = true, blindlyTrustedAnchors = [], disallowReversedChain = false, client, } = opts;
|
|
103
94
|
const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors;
|
|
104
95
|
if (pemOrDerChain.length === 0) {
|
|
105
96
|
return {
|
|
@@ -110,11 +101,21 @@ const validateX509CertificateChainImpl = (_a) => __awaiter(void 0, [_a], void 0,
|
|
|
110
101
|
};
|
|
111
102
|
}
|
|
112
103
|
defaultCryptoEngine();
|
|
113
|
-
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
|
|
104
|
+
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered
|
|
114
105
|
const chain = yield Promise.all(pemOrDerChain.map((raw) => (0, exports.parseCertificate)(raw)));
|
|
106
|
+
const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse();
|
|
115
107
|
const trustedCerts = trustedPEMs ? yield Promise.all(trustedPEMs.map((raw) => (0, exports.parseCertificate)(raw))) : undefined;
|
|
116
|
-
const blindlyTrusted = (_b = (yield Promise.all(blindlyTrustedAnchors.map((raw) =>
|
|
117
|
-
|
|
108
|
+
const blindlyTrusted = (_b = (yield Promise.all(blindlyTrustedAnchors.map((raw) => {
|
|
109
|
+
try {
|
|
110
|
+
return (0, exports.parseCertificate)(raw);
|
|
111
|
+
}
|
|
112
|
+
catch (e) {
|
|
113
|
+
// @ts-ignore
|
|
114
|
+
console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`);
|
|
115
|
+
return undefined;
|
|
116
|
+
}
|
|
117
|
+
}))).filter((cert) => cert !== undefined)) !== null && _b !== void 0 ? _b : [];
|
|
118
|
+
const leafCert = x5cOrdereredChain[0];
|
|
118
119
|
const chainLength = chain.length;
|
|
119
120
|
var foundTrustAnchor = undefined;
|
|
120
121
|
for (let i = 0; i < chainLength; i++) {
|
|
@@ -123,20 +124,20 @@ const validateX509CertificateChainImpl = (_a) => __awaiter(void 0, [_a], void 0,
|
|
|
123
124
|
const blindlyTrustedCert = blindlyTrusted.find((trusted) => (0, x509_utils_1.areCertificatesEqual)(trusted.certificate, currentCert.certificate));
|
|
124
125
|
if (blindlyTrustedCert) {
|
|
125
126
|
console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`);
|
|
126
|
-
return Object.assign({ error: false, critical: false, message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`, detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`, trustAnchor: blindlyTrustedCert === null || blindlyTrustedCert === void 0 ? void 0 : blindlyTrustedCert.certificateInfo, verificationTime, certificateChain:
|
|
127
|
+
return Object.assign({ error: false, critical: false, message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`, detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`, trustAnchor: blindlyTrustedCert === null || blindlyTrustedCert === void 0 ? void 0 : blindlyTrustedCert.certificateInfo, verificationTime, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo) }, (client && { client }));
|
|
127
128
|
}
|
|
128
129
|
if (previousCert) {
|
|
129
130
|
if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {
|
|
130
131
|
if (!reversed && !disallowReversedChain) {
|
|
131
132
|
return yield validateX509CertificateChainImpl({
|
|
132
133
|
reversed: true,
|
|
133
|
-
chain: pemOrDerChain.reverse(),
|
|
134
|
+
chain: [...pemOrDerChain].reverse(),
|
|
134
135
|
opts,
|
|
135
136
|
verificationTime,
|
|
136
137
|
trustAnchors,
|
|
137
138
|
});
|
|
138
139
|
}
|
|
139
|
-
return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.certificateInfo.subject.dn.DN} with subject string ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.x509Certificate.subject}.`, verificationTime }, (client && { client }));
|
|
140
|
+
return Object.assign({ error: true, critical: true, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.certificateInfo.subject.dn.DN} with subject string ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.x509Certificate.subject}.`, verificationTime }, (client && { client }));
|
|
140
141
|
}
|
|
141
142
|
}
|
|
142
143
|
const result = yield currentCert.x509Certificate.verify({
|
|
@@ -144,26 +145,29 @@ const validateX509CertificateChainImpl = (_a) => __awaiter(void 0, [_a], void 0,
|
|
|
144
145
|
publicKey: (_c = previousCert === null || previousCert === void 0 ? void 0 : previousCert.x509Certificate) === null || _c === void 0 ? void 0 : _c.publicKey,
|
|
145
146
|
}, (_f = (_e = (_d = (0, pkijs_1.getCrypto)()) === null || _d === void 0 ? void 0 : _d.crypto) !== null && _e !== void 0 ? _e : crypto) !== null && _f !== void 0 ? _f : global.crypto);
|
|
146
147
|
if (!result) {
|
|
148
|
+
// First cert needs to be self signed
|
|
147
149
|
if (i == 0 && !reversed && !disallowReversedChain) {
|
|
148
150
|
return yield validateX509CertificateChainImpl({
|
|
149
151
|
reversed: true,
|
|
150
|
-
chain: pemOrDerChain.reverse(),
|
|
152
|
+
chain: [...pemOrDerChain].reverse(),
|
|
151
153
|
opts,
|
|
152
154
|
verificationTime,
|
|
153
155
|
trustAnchors,
|
|
154
156
|
});
|
|
155
157
|
}
|
|
156
|
-
return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer} failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`, verificationTime }, (client && { client }));
|
|
158
|
+
return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer} failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`, verificationTime }, (client && { client }));
|
|
157
159
|
}
|
|
158
160
|
foundTrustAnchor = foundTrustAnchor !== null && foundTrustAnchor !== void 0 ? foundTrustAnchor : trustedCerts === null || trustedCerts === void 0 ? void 0 : trustedCerts.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate));
|
|
159
161
|
if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {
|
|
160
|
-
return Object.assign({ error: false, critical: false, message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`, trustAnchor: foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo, verificationTime }, (client && { client }));
|
|
162
|
+
return Object.assign({ error: false, critical: false, message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), trustAnchor: foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo, verificationTime }, (client && { client }));
|
|
161
163
|
}
|
|
162
164
|
}
|
|
163
|
-
if (foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo) {
|
|
164
|
-
return Object.assign({ error: false, critical: false, message: `Certificate chain was valid`,
|
|
165
|
+
if ((foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo) || allowNoTrustAnchorsFound) {
|
|
166
|
+
return Object.assign({ error: false, critical: false, message: `Certificate chain was valid`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: foundTrustAnchor
|
|
167
|
+
? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo.subject.dn.DN}.`
|
|
168
|
+
: `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`, trustAnchor: foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo, verificationTime }, (client && { client }));
|
|
165
169
|
}
|
|
166
|
-
return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, detailMessage: `No trust anchor was found in the chain. between ${chain
|
|
170
|
+
return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN} and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`, verificationTime }, (client && { client }));
|
|
167
171
|
});
|
|
168
172
|
const isSameCertificate = (cert1, cert2) => {
|
|
169
173
|
return cert1.rawData.toString() === cert2.rawData.toString();
|
|
@@ -177,7 +181,13 @@ const parseCertificate = (rawCert) => __awaiter(void 0, void 0, void 0, function
|
|
|
177
181
|
const x509Certificate = new x509_1.X509Certificate(rawCert);
|
|
178
182
|
const publicKeyInfo = asn1_schema_1.AsnParser.parse(x509Certificate.publicKey.rawData, asn1_x509_1.SubjectPublicKeyInfo);
|
|
179
183
|
const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey);
|
|
180
|
-
|
|
184
|
+
let publicKeyJwk = undefined;
|
|
185
|
+
try {
|
|
186
|
+
publicKeyJwk = (yield (0, exports.getCertificateSubjectPublicKeyJWK)(new Uint8Array(x509Certificate.rawData)));
|
|
187
|
+
}
|
|
188
|
+
catch (e) {
|
|
189
|
+
console.error(e.message);
|
|
190
|
+
}
|
|
181
191
|
const certificate = (0, x509_utils_1.pemOrDerToX509Certificate)(rawCert);
|
|
182
192
|
const certificateInfo = yield (0, exports.getCertificateInfo)(certificate);
|
|
183
193
|
const publicKeyAlgorithm = (0, exports.getX509AlgorithmProvider)().toWebAlgorithm(publicKeyInfo.algorithm);
|
|
@@ -192,81 +202,142 @@ const parseCertificate = (rawCert) => __awaiter(void 0, void 0, void 0, function
|
|
|
192
202
|
};
|
|
193
203
|
});
|
|
194
204
|
exports.parseCertificate = parseCertificate;
|
|
195
|
-
|
|
205
|
+
/*
|
|
206
|
+
|
|
207
|
+
/!**
|
|
196
208
|
*
|
|
197
209
|
* @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
|
|
198
210
|
* @param trustedPEMs
|
|
199
211
|
* @param verificationTime
|
|
200
212
|
* @param opts
|
|
201
|
-
|
|
202
|
-
const validateX509CertificateChainOrg =
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
213
|
+
*!/
|
|
214
|
+
export const validateX509CertificateChainOrg = async ({
|
|
215
|
+
chain: pemOrDerChain,
|
|
216
|
+
trustAnchors,
|
|
217
|
+
verificationTime = new Date(),
|
|
218
|
+
opts = {
|
|
219
|
+
trustRootWhenNoAnchors: false,
|
|
220
|
+
allowSingleNoCAChainElement: true,
|
|
221
|
+
blindlyTrustedAnchors: [],
|
|
222
|
+
},
|
|
223
|
+
}: {
|
|
224
|
+
chain: (Uint8Array | string)[]
|
|
225
|
+
trustAnchors?: string[]
|
|
226
|
+
verificationTime?: Date
|
|
227
|
+
opts?: X509CertificateChainValidationOpts
|
|
228
|
+
}): Promise<X509ValidationResult> => {
|
|
229
|
+
const {
|
|
230
|
+
trustRootWhenNoAnchors = false,
|
|
231
|
+
allowSingleNoCAChainElement = true,
|
|
232
|
+
blindlyTrustedAnchors = [],
|
|
233
|
+
client
|
|
234
|
+
} = opts
|
|
235
|
+
const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
|
|
236
|
+
|
|
210
237
|
if (pemOrDerChain.length === 0) {
|
|
211
238
|
return {
|
|
212
239
|
error: true,
|
|
213
240
|
critical: true,
|
|
214
241
|
message: 'Certificate chain in DER or PEM format must not be empty',
|
|
215
242
|
verificationTime,
|
|
216
|
-
}
|
|
243
|
+
}
|
|
217
244
|
}
|
|
245
|
+
|
|
218
246
|
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
|
|
219
|
-
const certs = pemOrDerChain.map(
|
|
220
|
-
const trustedCerts = trustedPEMs ? trustedPEMs.map(
|
|
221
|
-
defaultCryptoEngine()
|
|
247
|
+
const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()
|
|
248
|
+
const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
|
|
249
|
+
defaultCryptoEngine()
|
|
250
|
+
|
|
222
251
|
if (pemOrDerChain.length === 1) {
|
|
223
|
-
const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
|
|
224
|
-
const cert =
|
|
252
|
+
const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
|
|
253
|
+
const cert = pemOrDerToX509Certificate(singleCert)
|
|
225
254
|
if (client) {
|
|
226
|
-
const validation =
|
|
255
|
+
const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)
|
|
227
256
|
if (validation.error) {
|
|
228
|
-
return validation
|
|
257
|
+
return validation
|
|
229
258
|
}
|
|
230
259
|
}
|
|
231
260
|
if (blindlyTrustedAnchors.includes(singleCert)) {
|
|
232
|
-
console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
|
|
233
|
-
return
|
|
261
|
+
console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
|
|
262
|
+
return {
|
|
263
|
+
error: false,
|
|
264
|
+
critical: true,
|
|
265
|
+
message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
|
|
266
|
+
verificationTime,
|
|
267
|
+
certificateChain: [await getCertificateInfo(cert)],
|
|
268
|
+
...(client && {client}),
|
|
269
|
+
}
|
|
234
270
|
}
|
|
235
271
|
if (allowSingleNoCAChainElement) {
|
|
236
|
-
const subjectDN =
|
|
237
|
-
if (!
|
|
238
|
-
const passed =
|
|
239
|
-
return
|
|
272
|
+
const subjectDN = getSubjectDN(cert).DN
|
|
273
|
+
if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {
|
|
274
|
+
const passed = await cert.verify()
|
|
275
|
+
return {
|
|
276
|
+
error: !passed,
|
|
277
|
+
critical: true,
|
|
278
|
+
message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
|
|
279
|
+
verificationTime,
|
|
280
|
+
certificateChain: [await getCertificateInfo(cert)],
|
|
281
|
+
...(client && {client}),
|
|
282
|
+
}
|
|
240
283
|
}
|
|
241
284
|
}
|
|
242
285
|
}
|
|
243
|
-
|
|
244
|
-
|
|
286
|
+
|
|
287
|
+
const validationEngine = new CertificateChainValidationEngine({
|
|
288
|
+
certs /!*crls: [crl1], ocsps: [ocsp1], *!/,
|
|
245
289
|
checkDate: verificationTime,
|
|
246
290
|
trustedCerts,
|
|
247
|
-
})
|
|
291
|
+
})
|
|
292
|
+
|
|
248
293
|
try {
|
|
249
|
-
const verification =
|
|
294
|
+
const verification = await validationEngine.verify()
|
|
250
295
|
if (!verification.result || !verification.certificatePath) {
|
|
251
|
-
return
|
|
296
|
+
return {
|
|
297
|
+
error: true,
|
|
298
|
+
critical: true,
|
|
299
|
+
message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
|
|
300
|
+
verificationTime,
|
|
301
|
+
...(client && {client}),
|
|
302
|
+
}
|
|
252
303
|
}
|
|
253
|
-
const certPath = verification.certificatePath
|
|
304
|
+
const certPath = verification.certificatePath
|
|
254
305
|
if (client) {
|
|
255
|
-
const clientIdValidation =
|
|
306
|
+
const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)
|
|
256
307
|
if (clientIdValidation.error) {
|
|
257
|
-
return clientIdValidation
|
|
308
|
+
return clientIdValidation
|
|
258
309
|
}
|
|
259
310
|
}
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
311
|
+
let certInfos: Array<CertificateInfo> | undefined
|
|
312
|
+
|
|
313
|
+
for (const certificate of certPath) {
|
|
314
|
+
try {
|
|
315
|
+
certInfos?.push(await getCertificateInfo(certificate))
|
|
316
|
+
} catch (e: any) {
|
|
317
|
+
console.log(`Error getting certificate info ${e.message}`)
|
|
318
|
+
}
|
|
319
|
+
}
|
|
320
|
+
|
|
321
|
+
|
|
322
|
+
return {
|
|
323
|
+
error: false,
|
|
324
|
+
critical: false,
|
|
325
|
+
message: `Certificate chain was valid`,
|
|
326
|
+
verificationTime,
|
|
327
|
+
certificateChain: certInfos,
|
|
328
|
+
...(client && {client}),
|
|
329
|
+
}
|
|
330
|
+
} catch (error: any) {
|
|
331
|
+
return {
|
|
332
|
+
error: true,
|
|
333
|
+
critical: true,
|
|
334
|
+
message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
|
|
335
|
+
verificationTime,
|
|
336
|
+
...(client && {client}),
|
|
337
|
+
}
|
|
267
338
|
}
|
|
268
|
-
}
|
|
269
|
-
|
|
339
|
+
}
|
|
340
|
+
*/
|
|
270
341
|
const rdnmap = {
|
|
271
342
|
'2.5.4.6': 'C',
|
|
272
343
|
'2.5.4.10': 'O',
|
|
@@ -310,21 +381,33 @@ const getDNString = (typesAndValues) => {
|
|
|
310
381
|
};
|
|
311
382
|
const getCertificateSubjectPublicKeyJWK = (pemOrDerCert) => __awaiter(void 0, void 0, void 0, function* () {
|
|
312
383
|
const pemOrDerStr = typeof pemOrDerCert === 'string'
|
|
313
|
-
? pemOrDerCert
|
|
384
|
+
? u8a.toString(u8a.fromString(pemOrDerCert, 'base64pad'), 'base64pad')
|
|
314
385
|
: pemOrDerCert instanceof Uint8Array
|
|
315
386
|
? u8a.toString(pemOrDerCert, 'base64pad')
|
|
316
|
-
: pemOrDerCert.toString('base64');
|
|
387
|
+
: u8a.toString(u8a.fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad');
|
|
317
388
|
const pem = (0, x509_utils_1.derToPEM)(pemOrDerStr);
|
|
318
389
|
const certificate = (0, x509_utils_1.pemOrDerToX509Certificate)(pem);
|
|
390
|
+
var jwk;
|
|
319
391
|
try {
|
|
320
392
|
const subtle = (0, pkijs_1.getCrypto)(true).subtle;
|
|
321
|
-
const pk = yield certificate.getPublicKey();
|
|
322
|
-
|
|
393
|
+
const pk = yield certificate.getPublicKey(undefined, defaultCryptoEngine());
|
|
394
|
+
jwk = (yield subtle.exportKey('jwk', pk));
|
|
323
395
|
}
|
|
324
396
|
catch (error) {
|
|
325
397
|
console.log(`Error in primary get JWK from cert:`, error === null || error === void 0 ? void 0 : error.message);
|
|
326
398
|
}
|
|
327
|
-
|
|
399
|
+
if (!jwk) {
|
|
400
|
+
try {
|
|
401
|
+
jwk = (yield js_x509_utils_1.default.toJwk(pem, 'pem'));
|
|
402
|
+
}
|
|
403
|
+
catch (error) {
|
|
404
|
+
console.log(`Error in secondary get JWK from cert as well:`, error === null || error === void 0 ? void 0 : error.message);
|
|
405
|
+
}
|
|
406
|
+
}
|
|
407
|
+
if (!jwk) {
|
|
408
|
+
throw Error(`Failed to get JWK from certificate ${pem}`);
|
|
409
|
+
}
|
|
410
|
+
return jwk;
|
|
328
411
|
});
|
|
329
412
|
exports.getCertificateSubjectPublicKeyJWK = getCertificateSubjectPublicKeyJWK;
|
|
330
413
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"x509-validator.js","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uDAAiD;AACjD,mDAA0D;AAC1D,yCAAmE;AAGnE,kEAAgC;AAChC,iCASc;AACd,uCAAoC;AACpC,iDAAkC;AAClC,6CAAwF;AAoCxF,MAAM,mBAAmB,GAAG,GAAG,EAAE;IAC/B,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,UAAU,GAAG,WAAW,CAAA;YAC5B,IAAI,cAAc,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAClC,UAAU,GAAG,QAAQ,CAAA;YACvB,CAAC;YACD,IAAA,iBAAS,EAAC,UAAU,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;QAC/E,CAAC;IACH,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,WAAW,IAAI,MAAM,EAAE,CAAC;QAClE,MAAM,IAAI,GAAG,YAAY,CAAA;QACzB,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAA;QACnC,aAAa;QACb,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,CAAA;IACjE,CAAC;SAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACjF,MAAM,IAAI,GAAG,QAAQ,CAAA;QACrB,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC,CAAA;AAEM,MAAM,kBAAkB,GAAG,CAChC,WAAwB,EACxB,IAEC,EACyB,EAAE;IAC5B,MAAM,YAAY,GAAG,MAAM,IAAA,yCAAiC,EAAC,WAAW,CAAC,CAAA;IACzE,OAAO;QACL,MAAM,EAAE,EAAE,EAAE,EAAE,IAAA,mBAAW,EAAC,WAAW,CAAC,EAAE;QACxC,OAAO,EAAE;YACP,EAAE,EAAE,IAAA,oBAAY,EAAC,WAAW,CAAC;YAC7B,uBAAuB,EAAE,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,UAAU,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,aAAa,EAAE,CAAC;SACtG;QACD,YAAY,EAAE,YAAY;QAC1B,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK;QACtC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,KAAK;QACpC,cAAc;KACW,CAAA;AAC7B,CAAC,CAAA,CAAA;AAlBY,QAAA,kBAAkB,sBAkB9B;AAoBM,MAAM,4BAA4B,GAAG,KAeV,EAAE,4CAfe,EACjD,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,GAAG,IAAI,IAAI,EAAE,EAC7B,IAAI,GAAG;IACL,sBAAsB,EAAE,KAAK;IAC7B,2BAA2B,EAAE,IAAI;IACjC,qBAAqB,EAAE,EAAE;IACzB,qBAAqB,EAAE,KAAK;CAC7B,GAMF;IACC,+KAA+K;IAC/K,OAAO,MAAM,gCAAgC,CAAC;QAC5C,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,aAAa,CAAC,OAAO,EAAE;QAC9B,YAAY;QACZ,gBAAgB;QAChB,IAAI;KACL,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AAxBY,QAAA,4BAA4B,gCAwBxC;AACD,MAAM,gCAAgC,GAAG,KAYP,EAAE,4CAZY,EAC9C,QAAQ,EACR,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,EAAE,QAAQ,EAC1B,IAAI,GAOL;;IACC,MAAM,gBAAgB,GAAS,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC3F,MAAM,EACJ,sBAAsB,GAAG,KAAK,EAC9B,2BAA2B,GAAG,IAAI,EAClC,qBAAqB,GAAG,EAAE,EAC1B,qBAAqB,GAAG,KAAK,EAC7B,MAAM,GACP,GAAG,IAAI,CAAA;IACR,MAAM,WAAW,GAAG,sBAAsB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAA;IAEtH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,0DAA0D;YACnE,gBAAgB;SACjB,CAAA;IACH,CAAC;IACD,mBAAmB,EAAE,CAAA;IAErB,+HAA+H;IAC/H,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IAClF,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACjH,MAAM,cAAc,GAAG,MAAA,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mCAAI,EAAE,CAAA;IAC3G,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAExC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAA;IAChC,IAAI,gBAAgB,GAAkC,SAAS,CAAA;IAC/D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACrD,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,iCAAoB,EAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/H,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,iHAAiH,CAAC,CAAA;YAC9H,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,iHAAiH,EAC1H,aAAa,EAAE,+BAA+B,kBAAkB,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,0BAA0B,EACxH,WAAW,EAAE,kBAAkB,aAAlB,kBAAkB,uBAAlB,kBAAkB,CAAE,eAAe,EAChD,gBAAgB,EAChB,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,IACxD,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,WAAW,CAAC,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAChF,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;oBACxC,OAAO,MAAM,gCAAgC,CAAC;wBAC5C,QAAQ,EAAE,IAAI;wBACd,KAAK,EAAE,aAAa,CAAC,OAAO,EAAE;wBAC9B,IAAI;wBACJ,gBAAgB;wBAChB,YAAY;qBACb,CAAC,CAAA;gBACJ,CAAC;gBACD,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,aAAa,EAAE,mBAAmB,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,WAAW,CAAC,eAAe,CAAC,MAAM,+CAA+C,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,wBAAwB,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,GAAG,EACvR,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;YACH,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,eAAe,CAAC,MAAM,CACrD;YACE,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,0CAAE,SAAS;SACpD,EACD,MAAA,MAAA,MAAA,IAAA,iBAAS,GAAE,0CAAE,MAAM,mCAAI,MAAM,mCAAI,MAAM,CAAC,MAAM,CAC/C,CAAA;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAClD,OAAO,MAAM,gCAAgC,CAAC;oBAC5C,QAAQ,EAAE,IAAI;oBACd,KAAK,EAAE,aAAa,CAAC,OAAO,EAAE;oBAC9B,IAAI;oBACJ,gBAAgB;oBAChB,YAAY;iBACb,CAAC,CAAA;YACJ,CAAC;YACD,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,aAAa,EAAE,mCAAmC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBACzF,WAAW,CAAC,eAAe,CAAC,MAC9B,wBAAwB,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,eAAe,CAAC,YAAY,CAAC,GAAG,EACnF,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QAED,gBAAgB,GAAG,gBAAgB,aAAhB,gBAAgB,cAAhB,gBAAgB,GAAI,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,CAAC,eAAe,CAAC,CAAC,CAAA;QAE/I,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,2BAA2B,EAAE,CAAC;YAChE,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,uEAAuE,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EACzH,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAAE,CAAC;QACtC,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,6BAA6B,EACtC,aAAa,EAAE,wBAAwB,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,yCAAyC,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EACxK,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;IACH,CAAC;IAED,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,aAAa,EAAE,mDAAmD,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,QACtG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EACrD,GAAG,EACH,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;AACH,CAAC,CAAA,CAAA;AAED,MAAM,iBAAiB,GAAG,CAAC,KAAsB,EAAE,KAAsB,EAAW,EAAE;IACpF,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAA;AAC9D,CAAC,CAAA;AAED,MAAM,iBAAiB,GAAsB,oBAAS,CAAC,OAAO,CAAC,wBAAiB,CAAC,CAAA;AAC1E,MAAM,wBAAwB,GAAG,GAAsB,EAAE;IAC9D,OAAO,iBAAiB,CAAA;AAC1B,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC;AAYM,MAAM,gBAAgB,GAAG,CAAO,OAA4B,EAA8B,EAAE;IACjG,MAAM,eAAe,GAAG,IAAI,sBAAe,CAAC,OAAO,CAAC,CAAA;IACpD,MAAM,aAAa,GAAG,uBAAS,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,gCAAoB,CAAC,CAAA;IAC9F,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAA;IACnE,MAAM,YAAY,GAAQ,CAAC,MAAM,IAAA,yCAAiC,EAAC,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAQ,CAAA;IACnH,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,OAAO,CAAC,CAAA;IACtD,MAAM,eAAe,GAAG,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAA;IAC7D,MAAM,kBAAkB,GAAG,IAAA,gCAAwB,GAAE,CAAC,cAAc,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;IAC7F,OAAO;QACL,kBAAkB;QAClB,aAAa;QACb,YAAY;QACZ,YAAY;QACZ,eAAe;QACf,WAAW;QACX,eAAe;KAChB,CAAA;AACH,CAAC,CAAA,CAAA;AAjBY,QAAA,gBAAgB,oBAiB5B;AAED;;;;;;GAMG;AACI,MAAM,+BAA+B,GAAG,KAcb,EAAE,4CAdkB,EACpD,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,GAAG,IAAI,IAAI,EAAE,EAC7B,IAAI,GAAG;IACL,sBAAsB,EAAE,KAAK;IAC7B,2BAA2B,EAAE,IAAI;IACjC,qBAAqB,EAAE,EAAE;CAC1B,GAMF;;IACC,MAAM,EAAE,sBAAsB,GAAG,KAAK,EAAE,2BAA2B,GAAG,IAAI,EAAE,qBAAqB,GAAG,EAAE,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;IACvH,MAAM,WAAW,GAAG,sBAAsB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAA;IAEtH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,0DAA0D;YACnE,gBAAgB;SACjB,CAAA;IACH,CAAC;IAED,+HAA+H;IAC/H,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,sCAAyB,CAAC,CAAC,OAAO,EAAE,CAAA;IACpE,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,sCAAyB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACzF,mBAAmB,EAAE,CAAA;IAErB,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,OAAO,aAAa,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;QACxH,MAAM,IAAI,GAAG,IAAA,sCAAyB,EAAC,UAAU,CAAC,CAAA;QAClD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,UAAU,GAAG,MAAM,IAAA,qDAA6C,EAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,CAAA;YACpH,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;gBACrB,OAAO,UAAU,CAAA;YACnB,CAAC;QACH,CAAC;QACD,IAAI,qBAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,iHAAiH,CAAC,CAAA;YAC9H,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,iHAAiH,EAC1H,gBAAgB,EAChB,gBAAgB,EAAE,CAAC,MAAM,IAAA,0BAAkB,EAAC,IAAI,CAAC,CAAC,IAC/C,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QACD,IAAI,2BAA2B,EAAE,CAAC;YAChC,MAAM,SAAS,GAAG,IAAA,oBAAY,EAAC,IAAI,CAAC,CAAC,EAAE,CAAA;YACvC,IAAI,CAAC,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC,EAAE,IAAI,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAA;gBAClC,uBACE,KAAK,EAAE,CAAC,MAAM,EACd,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,oCAAoC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,GAAG,EAC9F,gBAAgB,EAChB,gBAAgB,EAAE,CAAC,MAAM,IAAA,0BAAkB,EAAC,IAAI,CAAC,CAAC,IAC/C,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,IAAI,wCAAgC,CAAC;QAC5D,KAAK,CAAC,oCAAoC;QAC1C,SAAS,EAAE,gBAAgB;QAC3B,YAAY;KACb,CAAC,CAAA;IAEF,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,CAAA;QACpD,IAAI,CAAC,YAAY,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;YAC1D,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,YAAY,CAAC,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,sCAAsC,EAChH,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QACD,MAAM,QAAQ,GAAG,YAAY,CAAC,eAAe,CAAA;QAC7C,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,kBAAkB,GAAG,MAAM,IAAA,qDAA6C,EAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,CAAA;YAChI,IAAI,kBAAkB,CAAC,KAAK,EAAE,CAAC;gBAC7B,OAAO,kBAAkB,CAAA;YAC3B,CAAC;QACH,CAAC;QACD,MAAM,SAAS,GAA2B,MAAM,OAAO,CAAC,GAAG,CACzD,QAAQ,CAAC,GAAG,CAAC,CAAO,WAAW,EAAE,EAAE;YACjC,OAAO,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAA;QACxC,CAAC,CAAA,CAAC,CACH,CAAA;QACD,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,6BAA6B,EACtC,gBAAgB,EAChB,gBAAgB,EAAE,SAAS,IACxB,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,kCAAkC,MAAA,KAAK,CAAC,OAAO,mCAAI,iBAAiB,EAAE,EAC/E,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;IACH,CAAC;AACH,CAAC,CAAA,CAAA;AAlHY,QAAA,+BAA+B,mCAkH3C;AAED,MAAM,MAAM,GAA2B;IACrC,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,GAAG;IACd,SAAS,EAAE,IAAI;IACf,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,UAAU,EAAE,GAAG;IACf,SAAS,EAAE,IAAI;IACf,sBAAsB,EAAE,QAAQ;CACjC,CAAA;AAEM,MAAM,WAAW,GAAG,CAAC,IAAiB,EAAU,EAAE;IACvD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAC3C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;KACpD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,WAAW,eAKvB;AAEM,MAAM,YAAY,GAAG,CAAC,IAAiB,EAAU,EAAE;IACxD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;KACrD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,YAAY,gBAKxB;AAED,MAAM,WAAW,GAAG,CAAC,cAAuC,EAA0B,EAAE;;IACtF,MAAM,EAAE,GAA2B,EAAE,CAAA;IACrC,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAA,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,mCAAI,YAAY,CAAC,IAAI,CAAA;QAC3D,EAAE,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC,CAAA;AACD,MAAM,WAAW,GAAG,CAAC,cAAuC,EAAU,EAAE;IACtE,OAAO,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;SAC/C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;SACxC,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC,CAAA;AAEM,MAAM,iCAAiC,GAAG,CAAO,YAA+C,EAAuB,EAAE;IAC9H,MAAM,WAAW,GACf,OAAO,YAAY,KAAK,QAAQ;QAC9B,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,YAAY,YAAY,UAAU;YACpC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC;YACzC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,GAAG,GAAG,IAAA,qBAAQ,EAAC,WAAW,CAAC,CAAA;IACjC,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,GAAG,CAAC,CAAA;IAClD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACrC,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,CAAA;QAC3C,OAAO,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IAC1C,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,CAAC,CAAA;IACpE,CAAC;IACD,OAAO,MAAM,uBAAI,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;AACrC,CAAC,CAAA,CAAA;AAjBY,QAAA,iCAAiC,qCAiB7C;AAED;;;;;;;;;;GAUG;AACH,IAAY,6BAKX;AALD,WAAY,6BAA6B;IACvC,6FAAc,CAAA;IACd,uFAAW,CAAA;IACX,2HAA6B,CAAA;IAC7B,2FAAa,CAAA;AACf,CAAC,EALW,6BAA6B,6CAA7B,6BAA6B,QAKxC;AASM,MAAM,sCAAsC,GAAG,CAAC,WAAwB,EAAE,QAAgB,EAAE,cAA8B,EAAQ,EAAE;IACzI,MAAM,IAAI,GAAG,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,oBAAoB,EAAE,cAAc,EAAE,CAAC,CAAA;IAC9F,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAA;IAClE,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,KAAK,CACT,oBAAoB,cAAc,0EAChC,IAAA,oBAAY,EAAC,WAAW,CAAC,CAAC,EAC5B,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACpD,CAAA;IACH,CAAC;AACH,CAAC,CAAA;AAVY,QAAA,sCAAsC,0CAUlD;AAEM,MAAM,6CAA6C,GAAG,CAC3D,WAAwB,EACxB,QAAgB,EAChB,cAA8B,EACC,EAAE;IACjC,MAAM,MAAM,GAAG;QACb,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,aAAa,QAAQ,gDAAgD,cAAc,EAAE;QAC9F,MAAM,EAAE;YACN,QAAQ;YACR,cAAc;SACf;QACD,gBAAgB,EAAE,CAAC,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAC;QACzD,gBAAgB,EAAE,IAAI,IAAI,EAAE;KAC7B,CAAA;IACD,IAAI,CAAC;QACH,IAAA,8CAAsC,EAAC,WAAW,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;IAC/E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,MAAM,CAAA;IACf,CAAC;IACD,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;IACpB,MAAM,CAAC,OAAO,GAAG,aAAa,QAAQ,4CAA4C,cAAc,EAAE,CAAA;IAClG,OAAO,MAAM,CAAA;AACf,CAAC,CAAA,CAAA;AAxBY,QAAA,6CAA6C,iDAwBzD;AAEM,MAAM,0BAA0B,GAAG,CACxC,WAAwB,EACxB,IAIC,EACyB,EAAE;;IAC5B,IAAI,UAA2C,CAAA;IAC/C,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,oBAAoB,EAAE,CAAC;QAC/B,UAAU;YACR,IAAI,CAAC,oBAAoB,KAAK,cAAc;gBAC1C,CAAC,CAAC,CAAC,6BAA6B,CAAC,OAAO,CAAC;gBACzC,CAAC,CAAC,CAAC,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IACjE,CAAC;SAAM,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,UAAU,EAAE,CAAC;QAC5B,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACnF,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,CAAC,6BAA6B,CAAC,OAAO,EAAE,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IAC/G,CAAC;IACD,MAAM,WAAW,GAAG,MAAA,MAAA,WAAW,CAAC,UAAU,0CAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,yBAAiB,CAAC,0CAAE,WAAsB,CAAA;IACnH,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAA;IAC9C,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SACtD,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACf,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAmC,CAAA;IACtF,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AA7BY,QAAA,0BAA0B,8BA6BtC"}
|
|
1
|
+
{"version":3,"file":"x509-validator.js","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uDAAiD;AACjD,mDAA0D;AAC1D,yCAAmE;AAGnE,kEAAgC;AAChC,iCAA0H;AAC1H,uCAAoC;AACpC,iDAAkC;AAClC,qCAAuC;AACvC,6CAAwF;AAoCxF,MAAM,mBAAmB,GAAG,GAAG,EAAE;IAC/B,MAAM,IAAI,GAAG,QAAQ,CAAA;IACrB,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAA,qBAAY,EAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAA;IACxE,OAAO,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAA;AACxB,CAAC,CAAA;AAEM,MAAM,kBAAkB,GAAG,CAChC,WAAwB,EACxB,IAEC,EACyB,EAAE;IAC5B,IAAI,YAA6B,CAAA;IACjC,IAAI,CAAC;QACH,YAAY,GAAG,CAAC,MAAM,IAAA,yCAAiC,EAAC,WAAW,CAAC,CAAQ,CAAA;IAC9E,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IACd,OAAO;QACL,MAAM,EAAE,EAAE,EAAE,EAAE,IAAA,mBAAW,EAAC,WAAW,CAAC,EAAE;QACxC,OAAO,EAAE;YACP,EAAE,EAAE,IAAA,oBAAY,EAAC,WAAW,CAAC;YAC7B,uBAAuB,EAAE,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,UAAU,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,aAAa,EAAE,CAAC;SACtG;QACD,YAAY;QACZ,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK;QACtC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,KAAK;QACpC,cAAc;KACW,CAAA;AAC7B,CAAC,CAAA,CAAA;AArBY,QAAA,kBAAkB,sBAqB9B;AAuBM,MAAM,4BAA4B,GAAG,KAiBV,EAAE,4CAjBe,EACjD,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,GAAG,IAAI,IAAI,EAAE,EAC7B,IAAI,GAAG;IACL,4FAA4F;IAC5F,wBAAwB,EAAE,KAAK;IAC/B,sBAAsB,EAAE,KAAK;IAC7B,2BAA2B,EAAE,IAAI;IACjC,qBAAqB,EAAE,EAAE;IACzB,qBAAqB,EAAE,KAAK;CAC7B,GAMF;IACC,+KAA+K;IAC/K,OAAO,MAAM,gCAAgC,CAAC;QAC5C,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;QACnC,YAAY;QACZ,gBAAgB;QAChB,IAAI;KACL,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AA1BY,QAAA,4BAA4B,gCA0BxC;AACD,MAAM,gCAAgC,GAAG,KAYP,EAAE,4CAZY,EAC9C,QAAQ,EACR,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,EAAE,QAAQ,EAC1B,IAAI,GAOL;;IACC,MAAM,gBAAgB,GAAS,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC3F,MAAM,EACJ,wBAAwB,GAAG,KAAK,EAChC,sBAAsB,GAAG,KAAK,EAC9B,2BAA2B,GAAG,IAAI,EAClC,qBAAqB,GAAG,EAAE,EAC1B,qBAAqB,GAAG,KAAK,EAC7B,MAAM,GACP,GAAG,IAAI,CAAA;IACR,MAAM,WAAW,GAAG,sBAAsB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAA;IAEtH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,0DAA0D;YACnE,gBAAgB;SACjB,CAAA;IACH,CAAC;IACD,mBAAmB,EAAE,CAAA;IAErB,yLAAyL;IACzL,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IAClF,MAAM,iBAAiB,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,EAAE,CAAA;IAEtE,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACjH,MAAM,cAAc,GAClB,MAAA,CACE,MAAM,OAAO,CAAC,GAAG,CACf,qBAAqB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAChC,IAAI,CAAC;YACH,OAAO,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAA;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,aAAa;YACb,OAAO,CAAC,GAAG,CAAC,+CAA+C,GAAG,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACtF,OAAO,SAAS,CAAA;QAClB,CAAC;IACH,CAAC,CAAC,CACH,CACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA6B,EAAE,CAAC,IAAI,KAAK,SAAS,CAAC,mCAAI,EAAE,CAAA;IACzE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAA;IAErC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAA;IAChC,IAAI,gBAAgB,GAAkC,SAAS,CAAA;IAC/D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACrD,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,iCAAoB,EAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/H,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,iHAAiH,CAAC,CAAA;YAC9H,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,iHAAiH,EAC1H,aAAa,EAAE,+BAA+B,kBAAkB,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,0BAA0B,EACxH,WAAW,EAAE,kBAAkB,aAAlB,kBAAkB,uBAAlB,kBAAkB,CAAE,eAAe,EAChD,gBAAgB,EAChB,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,IACpE,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,WAAW,CAAC,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAChF,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;oBACxC,OAAO,MAAM,gCAAgC,CAAC;wBAC5C,QAAQ,EAAE,IAAI;wBACd,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;wBACnC,IAAI;wBACJ,gBAAgB;wBAChB,YAAY;qBACb,CAAC,CAAA;gBACJ,CAAC;gBACD,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,aAAa,EAAE,mBAAmB,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,WAAW,CAAC,eAAe,CAAC,MAAM,+CAA+C,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,wBAAwB,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,GAAG,EACvR,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;YACH,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,eAAe,CAAC,MAAM,CACrD;YACE,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,0CAAE,SAAS;SACpD,EACD,MAAA,MAAA,MAAA,IAAA,iBAAS,GAAE,0CAAE,MAAM,mCAAI,MAAM,mCAAI,MAAM,CAAC,MAAM,CAC/C,CAAA;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAClD,OAAO,MAAM,gCAAgC,CAAC;oBAC5C,QAAQ,EAAE,IAAI;oBACd,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;oBACnC,IAAI;oBACJ,gBAAgB;oBAChB,YAAY;iBACb,CAAC,CAAA;YACJ,CAAC;YAED,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,mCAAmC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBACzF,WAAW,CAAC,eAAe,CAAC,MAC9B,wBAAwB,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,eAAe,CAAC,YAAY,CAAC,GAAG,EACnF,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QAED,gBAAgB,GAAG,gBAAgB,aAAhB,gBAAgB,cAAhB,gBAAgB,GAAI,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,CAAC,eAAe,CAAC,CAAC,CAAA;QAE/I,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,2BAA2B,EAAE,CAAC;YAChE,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,uEAAuE,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EACzH,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAA,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,KAAI,wBAAwB,EAAE,CAAC;QAClE,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,6BAA6B,EACtC,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,gBAAgB;gBAC7B,CAAC,CAAC,wBAAwB,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,yCAAyC,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG;gBAC3J,CAAC,CAAC,wBAAwB,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,kHAAkH,wBAAwB,KAAK,EACjN,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;IACH,CAAC;IAED,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,qEACb,iBAAiB,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EACjE,aAAa,iBAAiB,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAClE,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;AACH,CAAC,CAAA,CAAA;AAED,MAAM,iBAAiB,GAAG,CAAC,KAAsB,EAAE,KAAsB,EAAW,EAAE;IACpF,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAA;AAC9D,CAAC,CAAA;AAED,MAAM,iBAAiB,GAAsB,oBAAS,CAAC,OAAO,CAAC,wBAAiB,CAAC,CAAA;AAC1E,MAAM,wBAAwB,GAAG,GAAsB,EAAE;IAC9D,OAAO,iBAAiB,CAAA;AAC1B,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC;AAYM,MAAM,gBAAgB,GAAG,CAAO,OAA4B,EAA8B,EAAE;IACjG,MAAM,eAAe,GAAG,IAAI,sBAAe,CAAC,OAAO,CAAC,CAAA;IACpD,MAAM,aAAa,GAAG,uBAAS,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,gCAAoB,CAAC,CAAA;IAC9F,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAA;IACnE,IAAI,YAAY,GAAoB,SAAS,CAAA;IAC7C,IAAI,CAAC;QACH,YAAY,GAAG,CAAC,MAAM,IAAA,yCAAiC,EAAC,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAQ,CAAA;IAC1G,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;IAC1B,CAAC;IACD,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,OAAO,CAAC,CAAA;IACtD,MAAM,eAAe,GAAG,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAA;IAC7D,MAAM,kBAAkB,GAAG,IAAA,gCAAwB,GAAE,CAAC,cAAc,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;IAC7F,OAAO;QACL,kBAAkB;QAClB,aAAa;QACb,YAAY;QACZ,YAAY;QACZ,eAAe;QACf,WAAW;QACX,eAAe;KAChB,CAAA;AACH,CAAC,CAAA,CAAA;AAtBY,QAAA,gBAAgB,oBAsB5B;AACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuIE;AAEF,MAAM,MAAM,GAA2B;IACrC,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,GAAG;IACd,SAAS,EAAE,IAAI;IACf,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,UAAU,EAAE,GAAG;IACf,SAAS,EAAE,IAAI;IACf,sBAAsB,EAAE,QAAQ;CACjC,CAAA;AAEM,MAAM,WAAW,GAAG,CAAC,IAAiB,EAAU,EAAE;IACvD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAC3C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;KACpD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,WAAW,eAKvB;AAEM,MAAM,YAAY,GAAG,CAAC,IAAiB,EAAU,EAAE;IACxD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;KACrD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,YAAY,gBAKxB;AAED,MAAM,WAAW,GAAG,CAAC,cAAuC,EAA0B,EAAE;;IACtF,MAAM,EAAE,GAA2B,EAAE,CAAA;IACrC,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAA,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,mCAAI,YAAY,CAAC,IAAI,CAAA;QAC3D,EAAE,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC,CAAA;AACD,MAAM,WAAW,GAAG,CAAC,cAAuC,EAAU,EAAE;IACtE,OAAO,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;SAC/C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;SACxC,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC,CAAA;AAEM,MAAM,iCAAiC,GAAG,CAAO,YAA+C,EAAgB,EAAE;IACvH,MAAM,WAAW,GACf,OAAO,YAAY,KAAK,QAAQ;QAC9B,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,WAAW,CAAC;QACtE,CAAC,CAAC,YAAY,YAAY,UAAU;YACpC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC;YACzC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,WAAW,CAAC,EAAE,WAAW,CAAC,CAAA;IAC7F,MAAM,GAAG,GAAG,IAAA,qBAAQ,EAAC,WAAW,CAAC,CAAA;IACjC,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,GAAG,CAAC,CAAA;IAClD,IAAI,GAAoB,CAAA;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACrC,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,YAAY,CAAC,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAA;QAC3E,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,CAAoB,CAAA;IAC9D,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,CAAC;YACH,GAAG,GAAG,CAAC,MAAM,uBAAI,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAQ,CAAA;QAC7C,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,+CAA+C,EAAE,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,CAAC,CAAA;QAC9E,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,KAAK,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;IAC1D,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA,CAAA;AA5BY,QAAA,iCAAiC,qCA4B7C;AAED;;;;;;;;;;GAUG;AACH,IAAY,6BAKX;AALD,WAAY,6BAA6B;IACvC,6FAAc,CAAA;IACd,uFAAW,CAAA;IACX,2HAA6B,CAAA;IAC7B,2FAAa,CAAA;AACf,CAAC,EALW,6BAA6B,6CAA7B,6BAA6B,QAKxC;AASM,MAAM,sCAAsC,GAAG,CAAC,WAAwB,EAAE,QAAgB,EAAE,cAA8B,EAAQ,EAAE;IACzI,MAAM,IAAI,GAAG,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,oBAAoB,EAAE,cAAc,EAAE,CAAC,CAAA;IAC9F,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAA;IAClE,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,KAAK,CACT,oBAAoB,cAAc,0EAChC,IAAA,oBAAY,EAAC,WAAW,CAAC,CAAC,EAC5B,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACpD,CAAA;IACH,CAAC;AACH,CAAC,CAAA;AAVY,QAAA,sCAAsC,0CAUlD;AAEM,MAAM,6CAA6C,GAAG,CAC3D,WAAwB,EACxB,QAAgB,EAChB,cAA8B,EACC,EAAE;IACjC,MAAM,MAAM,GAAG;QACb,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,aAAa,QAAQ,gDAAgD,cAAc,EAAE;QAC9F,MAAM,EAAE;YACN,QAAQ;YACR,cAAc;SACf;QACD,gBAAgB,EAAE,CAAC,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAC;QACzD,gBAAgB,EAAE,IAAI,IAAI,EAAE;KAC7B,CAAA;IACD,IAAI,CAAC;QACH,IAAA,8CAAsC,EAAC,WAAW,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;IAC/E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,MAAM,CAAA;IACf,CAAC;IACD,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;IACpB,MAAM,CAAC,OAAO,GAAG,aAAa,QAAQ,4CAA4C,cAAc,EAAE,CAAA;IAClG,OAAO,MAAM,CAAA;AACf,CAAC,CAAA,CAAA;AAxBY,QAAA,6CAA6C,iDAwBzD;AAEM,MAAM,0BAA0B,GAAG,CACxC,WAAwB,EACxB,IAIC,EACyB,EAAE;;IAC5B,IAAI,UAA2C,CAAA;IAC/C,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,oBAAoB,EAAE,CAAC;QAC/B,UAAU;YACR,IAAI,CAAC,oBAAoB,KAAK,cAAc;gBAC1C,CAAC,CAAC,CAAC,6BAA6B,CAAC,OAAO,CAAC;gBACzC,CAAC,CAAC,CAAC,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IACjE,CAAC;SAAM,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,UAAU,EAAE,CAAC;QAC5B,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACnF,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,CAAC,6BAA6B,CAAC,OAAO,EAAE,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IAC/G,CAAC;IACD,MAAM,WAAW,GAAG,MAAA,MAAA,WAAW,CAAC,UAAU,0CAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,yBAAiB,CAAC,0CAAE,WAAsB,CAAA;IACnH,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAA;IAC9C,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SACtD,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACf,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAmC,CAAA;IACtF,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AA7BY,QAAA,0BAA0B,8BA6BtC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk-ext.x509-utils",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin functions for X.509 Certificate handling.",
|
|
4
|
-
"version": "0.26.1-feature.SPRIND.124.esim.
|
|
4
|
+
"version": "0.26.1-feature.SPRIND.124.esim.47+42ba7ee",
|
|
5
5
|
"source": "src/index.ts",
|
|
6
6
|
"main": "dist/index.js",
|
|
7
7
|
"types": "dist/index.d.ts",
|
|
@@ -42,5 +42,5 @@
|
|
|
42
42
|
"DID",
|
|
43
43
|
"Veramo"
|
|
44
44
|
],
|
|
45
|
-
"gitHead": "
|
|
45
|
+
"gitHead": "42ba7ee7bd6c38f0b7d1a98b46dfb8e9067172d4"
|
|
46
46
|
}
|
package/src/x509/crypto.ts
CHANGED
|
@@ -1,20 +1,19 @@
|
|
|
1
|
-
|
|
2
1
|
export const globalCrypto = (setGlobal: boolean, suppliedCrypto?: Crypto): Crypto => {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
2
|
+
let webcrypto: Crypto
|
|
3
|
+
if (typeof suppliedCrypto !== 'undefined') {
|
|
4
|
+
webcrypto = suppliedCrypto
|
|
5
|
+
} else if (typeof crypto !== 'undefined') {
|
|
6
|
+
webcrypto = crypto
|
|
7
|
+
} else if (typeof global.crypto !== 'undefined') {
|
|
8
|
+
webcrypto = global.crypto
|
|
9
|
+
} else if (typeof global.window?.crypto?.subtle !== 'undefined') {
|
|
10
|
+
webcrypto = global.window.crypto
|
|
11
|
+
} else {
|
|
12
|
+
webcrypto = require('crypto') as Crypto
|
|
13
|
+
}
|
|
14
|
+
if (setGlobal) {
|
|
15
|
+
global.crypto = webcrypto
|
|
16
|
+
}
|
|
18
17
|
|
|
19
|
-
|
|
18
|
+
return webcrypto
|
|
20
19
|
}
|
package/src/x509/rsa-key.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import * as u8a from 'uint8arrays'
|
|
2
2
|
import { HashAlgorithm } from '../types'
|
|
3
|
-
import {globalCrypto} from
|
|
3
|
+
import { globalCrypto } from './crypto'
|
|
4
4
|
|
|
5
5
|
import { derToPEM } from './x509-utils'
|
|
6
6
|
|
|
@@ -59,7 +59,6 @@ export const cryptoSubtleImportRSAKey = async (
|
|
|
59
59
|
return await globalCrypto(false).subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))
|
|
60
60
|
}
|
|
61
61
|
|
|
62
|
-
|
|
63
62
|
export const generateRSAKeyAsPEM = async (
|
|
64
63
|
scheme: RSAEncryptionSchemes | RSASignatureSchemes,
|
|
65
64
|
hashAlgorithm?: HashAlgorithm,
|
package/src/x509/rsa-signer.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import * as u8a from 'uint8arrays'
|
|
2
2
|
import { HashAlgorithm, KeyVisibility } from '../types'
|
|
3
|
-
import {globalCrypto} from
|
|
3
|
+
import { globalCrypto } from './crypto'
|
|
4
4
|
import { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'
|
|
5
5
|
import { PEMToJwk } from './x509-utils'
|
|
6
6
|
|
|
@@ -4,18 +4,10 @@ import { AlgorithmProvider, X509Certificate } from '@peculiar/x509'
|
|
|
4
4
|
// import {calculateJwkThumbprint} from "@sphereon/ssi-sdk-ext.key-utils";
|
|
5
5
|
import { JWK } from '@sphereon/ssi-types'
|
|
6
6
|
import x509 from 'js-x509-utils'
|
|
7
|
-
import {
|
|
8
|
-
AltName,
|
|
9
|
-
AttributeTypeAndValue,
|
|
10
|
-
Certificate,
|
|
11
|
-
CertificateChainValidationEngine,
|
|
12
|
-
CryptoEngine,
|
|
13
|
-
getCrypto,
|
|
14
|
-
id_SubjectAltName,
|
|
15
|
-
setEngine,
|
|
16
|
-
} from 'pkijs'
|
|
7
|
+
import { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'
|
|
17
8
|
import { container } from 'tsyringe'
|
|
18
9
|
import * as u8a from 'uint8arrays'
|
|
10
|
+
import { globalCrypto } from './crypto'
|
|
19
11
|
import { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'
|
|
20
12
|
|
|
21
13
|
export type DNInfo = {
|
|
@@ -53,23 +45,9 @@ export type X509ValidationResult = {
|
|
|
53
45
|
}
|
|
54
46
|
|
|
55
47
|
const defaultCryptoEngine = () => {
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
if ('webkitSubtle' in self.crypto) {
|
|
60
|
-
engineName = 'safari'
|
|
61
|
-
}
|
|
62
|
-
setEngine(engineName, new CryptoEngine({ name: engineName, crypto: crypto }))
|
|
63
|
-
}
|
|
64
|
-
} else if (typeof crypto !== 'undefined' && 'webcrypto' in crypto) {
|
|
65
|
-
const name = 'NodeJS ^15'
|
|
66
|
-
const nodeCrypto = crypto.webcrypto
|
|
67
|
-
// @ts-ignore
|
|
68
|
-
setEngine(name, new CryptoEngine({ name, crypto: nodeCrypto }))
|
|
69
|
-
} else if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
|
|
70
|
-
const name = 'crypto'
|
|
71
|
-
setEngine(name, new CryptoEngine({ name, crypto: crypto }))
|
|
72
|
-
}
|
|
48
|
+
const name = 'crypto'
|
|
49
|
+
setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))
|
|
50
|
+
return getCrypto(true)
|
|
73
51
|
}
|
|
74
52
|
|
|
75
53
|
export const getCertificateInfo = async (
|
|
@@ -78,14 +56,17 @@ export const getCertificateInfo = async (
|
|
|
78
56
|
sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]
|
|
79
57
|
}
|
|
80
58
|
): Promise<CertificateInfo> => {
|
|
81
|
-
|
|
59
|
+
let publicKeyJWK: JWK | undefined
|
|
60
|
+
try {
|
|
61
|
+
publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK
|
|
62
|
+
} catch (e) {}
|
|
82
63
|
return {
|
|
83
64
|
issuer: { dn: getIssuerDN(certificate) },
|
|
84
65
|
subject: {
|
|
85
66
|
dn: getSubjectDN(certificate),
|
|
86
67
|
subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),
|
|
87
68
|
},
|
|
88
|
-
publicKeyJWK
|
|
69
|
+
publicKeyJWK,
|
|
89
70
|
notBefore: certificate.notBefore.value,
|
|
90
71
|
notAfter: certificate.notAfter.value,
|
|
91
72
|
// certificate
|
|
@@ -93,6 +74,9 @@ export const getCertificateInfo = async (
|
|
|
93
74
|
}
|
|
94
75
|
|
|
95
76
|
export type X509CertificateChainValidationOpts = {
|
|
77
|
+
// If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
|
|
78
|
+
allowNoTrustAnchorsFound?: boolean
|
|
79
|
+
|
|
96
80
|
// Trust the supplied root from the chain, when no anchors are being passed in.
|
|
97
81
|
trustRootWhenNoAnchors?: boolean
|
|
98
82
|
// Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer
|
|
@@ -115,6 +99,8 @@ export const validateX509CertificateChain = async ({
|
|
|
115
99
|
trustAnchors,
|
|
116
100
|
verificationTime = new Date(),
|
|
117
101
|
opts = {
|
|
102
|
+
// If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
|
|
103
|
+
allowNoTrustAnchorsFound: false,
|
|
118
104
|
trustRootWhenNoAnchors: false,
|
|
119
105
|
allowSingleNoCAChainElement: true,
|
|
120
106
|
blindlyTrustedAnchors: [],
|
|
@@ -129,7 +115,7 @@ export const validateX509CertificateChain = async ({
|
|
|
129
115
|
// We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain
|
|
130
116
|
return await validateX509CertificateChainImpl({
|
|
131
117
|
reversed: false,
|
|
132
|
-
chain: pemOrDerChain.reverse(),
|
|
118
|
+
chain: [...pemOrDerChain].reverse(),
|
|
133
119
|
trustAnchors,
|
|
134
120
|
verificationTime,
|
|
135
121
|
opts,
|
|
@@ -150,6 +136,7 @@ const validateX509CertificateChainImpl = async ({
|
|
|
150
136
|
}): Promise<X509ValidationResult> => {
|
|
151
137
|
const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt
|
|
152
138
|
const {
|
|
139
|
+
allowNoTrustAnchorsFound = false,
|
|
153
140
|
trustRootWhenNoAnchors = false,
|
|
154
141
|
allowSingleNoCAChainElement = true,
|
|
155
142
|
blindlyTrustedAnchors = [],
|
|
@@ -168,11 +155,26 @@ const validateX509CertificateChainImpl = async ({
|
|
|
168
155
|
}
|
|
169
156
|
defaultCryptoEngine()
|
|
170
157
|
|
|
171
|
-
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
|
|
158
|
+
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered
|
|
172
159
|
const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))
|
|
160
|
+
const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()
|
|
161
|
+
|
|
173
162
|
const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined
|
|
174
|
-
const blindlyTrusted =
|
|
175
|
-
|
|
163
|
+
const blindlyTrusted =
|
|
164
|
+
(
|
|
165
|
+
await Promise.all(
|
|
166
|
+
blindlyTrustedAnchors.map((raw) => {
|
|
167
|
+
try {
|
|
168
|
+
return parseCertificate(raw)
|
|
169
|
+
} catch (e) {
|
|
170
|
+
// @ts-ignore
|
|
171
|
+
console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)
|
|
172
|
+
return undefined
|
|
173
|
+
}
|
|
174
|
+
})
|
|
175
|
+
)
|
|
176
|
+
).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []
|
|
177
|
+
const leafCert = x5cOrdereredChain[0]
|
|
176
178
|
|
|
177
179
|
const chainLength = chain.length
|
|
178
180
|
var foundTrustAnchor: ParsedCertificate | undefined = undefined
|
|
@@ -189,7 +191,7 @@ const validateX509CertificateChainImpl = async ({
|
|
|
189
191
|
detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,
|
|
190
192
|
trustAnchor: blindlyTrustedCert?.certificateInfo,
|
|
191
193
|
verificationTime,
|
|
192
|
-
certificateChain:
|
|
194
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
193
195
|
...(client && { client }),
|
|
194
196
|
}
|
|
195
197
|
}
|
|
@@ -198,7 +200,7 @@ const validateX509CertificateChainImpl = async ({
|
|
|
198
200
|
if (!reversed && !disallowReversedChain) {
|
|
199
201
|
return await validateX509CertificateChainImpl({
|
|
200
202
|
reversed: true,
|
|
201
|
-
chain: pemOrDerChain.reverse(),
|
|
203
|
+
chain: [...pemOrDerChain].reverse(),
|
|
202
204
|
opts,
|
|
203
205
|
verificationTime,
|
|
204
206
|
trustAnchors,
|
|
@@ -207,6 +209,7 @@ const validateX509CertificateChainImpl = async ({
|
|
|
207
209
|
return {
|
|
208
210
|
error: true,
|
|
209
211
|
critical: true,
|
|
212
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
210
213
|
message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
|
|
211
214
|
detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,
|
|
212
215
|
verificationTime,
|
|
@@ -222,19 +225,22 @@ const validateX509CertificateChainImpl = async ({
|
|
|
222
225
|
getCrypto()?.crypto ?? crypto ?? global.crypto
|
|
223
226
|
)
|
|
224
227
|
if (!result) {
|
|
228
|
+
// First cert needs to be self signed
|
|
225
229
|
if (i == 0 && !reversed && !disallowReversedChain) {
|
|
226
230
|
return await validateX509CertificateChainImpl({
|
|
227
231
|
reversed: true,
|
|
228
|
-
chain: pemOrDerChain.reverse(),
|
|
232
|
+
chain: [...pemOrDerChain].reverse(),
|
|
229
233
|
opts,
|
|
230
234
|
verificationTime,
|
|
231
235
|
trustAnchors,
|
|
232
236
|
})
|
|
233
237
|
}
|
|
238
|
+
|
|
234
239
|
return {
|
|
235
240
|
error: true,
|
|
236
241
|
critical: true,
|
|
237
242
|
message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
|
|
243
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
238
244
|
detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${
|
|
239
245
|
currentCert.x509Certificate.issuer
|
|
240
246
|
} failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,
|
|
@@ -250,6 +256,7 @@ const validateX509CertificateChainImpl = async ({
|
|
|
250
256
|
error: false,
|
|
251
257
|
critical: false,
|
|
252
258
|
message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,
|
|
259
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
253
260
|
trustAnchor: foundTrustAnchor?.certificateInfo,
|
|
254
261
|
verificationTime,
|
|
255
262
|
...(client && { client }),
|
|
@@ -257,12 +264,15 @@ const validateX509CertificateChainImpl = async ({
|
|
|
257
264
|
}
|
|
258
265
|
}
|
|
259
266
|
|
|
260
|
-
if (foundTrustAnchor?.certificateInfo) {
|
|
267
|
+
if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {
|
|
261
268
|
return {
|
|
262
269
|
error: false,
|
|
263
270
|
critical: false,
|
|
264
271
|
message: `Certificate chain was valid`,
|
|
265
|
-
|
|
272
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
273
|
+
detailMessage: foundTrustAnchor
|
|
274
|
+
? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`
|
|
275
|
+
: `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,
|
|
266
276
|
trustAnchor: foundTrustAnchor?.certificateInfo,
|
|
267
277
|
verificationTime,
|
|
268
278
|
...(client && { client }),
|
|
@@ -273,9 +283,10 @@ const validateX509CertificateChainImpl = async ({
|
|
|
273
283
|
error: true,
|
|
274
284
|
critical: true,
|
|
275
285
|
message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
286
|
+
certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
|
|
287
|
+
detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${
|
|
288
|
+
x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN
|
|
289
|
+
} and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,
|
|
279
290
|
verificationTime,
|
|
280
291
|
...(client && { client }),
|
|
281
292
|
}
|
|
@@ -292,7 +303,7 @@ export const getX509AlgorithmProvider = (): AlgorithmProvider => {
|
|
|
292
303
|
|
|
293
304
|
export type ParsedCertificate = {
|
|
294
305
|
publicKeyInfo: SubjectPublicKeyInfo
|
|
295
|
-
publicKeyJwk
|
|
306
|
+
publicKeyJwk?: JWK
|
|
296
307
|
publicKeyRaw: Uint8Array
|
|
297
308
|
publicKeyAlgorithm: Algorithm
|
|
298
309
|
certificateInfo: CertificateInfo
|
|
@@ -304,7 +315,12 @@ export const parseCertificate = async (rawCert: string | Uint8Array): Promise<Pa
|
|
|
304
315
|
const x509Certificate = new X509Certificate(rawCert)
|
|
305
316
|
const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)
|
|
306
317
|
const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)
|
|
307
|
-
|
|
318
|
+
let publicKeyJwk: JWK | undefined = undefined
|
|
319
|
+
try {
|
|
320
|
+
publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK
|
|
321
|
+
} catch (e: any) {
|
|
322
|
+
console.error(e.message)
|
|
323
|
+
}
|
|
308
324
|
const certificate = pemOrDerToX509Certificate(rawCert)
|
|
309
325
|
const certificateInfo = await getCertificateInfo(certificate)
|
|
310
326
|
const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)
|
|
@@ -318,129 +334,142 @@ export const parseCertificate = async (rawCert: string | Uint8Array): Promise<Pa
|
|
|
318
334
|
x509Certificate,
|
|
319
335
|
}
|
|
320
336
|
}
|
|
337
|
+
/*
|
|
321
338
|
|
|
322
|
-
|
|
339
|
+
/!**
|
|
323
340
|
*
|
|
324
341
|
* @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
|
|
325
342
|
* @param trustedPEMs
|
|
326
343
|
* @param verificationTime
|
|
327
344
|
* @param opts
|
|
328
|
-
|
|
345
|
+
*!/
|
|
329
346
|
export const validateX509CertificateChainOrg = async ({
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
}: {
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
347
|
+
chain: pemOrDerChain,
|
|
348
|
+
trustAnchors,
|
|
349
|
+
verificationTime = new Date(),
|
|
350
|
+
opts = {
|
|
351
|
+
trustRootWhenNoAnchors: false,
|
|
352
|
+
allowSingleNoCAChainElement: true,
|
|
353
|
+
blindlyTrustedAnchors: [],
|
|
354
|
+
},
|
|
355
|
+
}: {
|
|
356
|
+
chain: (Uint8Array | string)[]
|
|
357
|
+
trustAnchors?: string[]
|
|
358
|
+
verificationTime?: Date
|
|
359
|
+
opts?: X509CertificateChainValidationOpts
|
|
343
360
|
}): Promise<X509ValidationResult> => {
|
|
344
|
-
|
|
345
|
-
|
|
361
|
+
const {
|
|
362
|
+
trustRootWhenNoAnchors = false,
|
|
363
|
+
allowSingleNoCAChainElement = true,
|
|
364
|
+
blindlyTrustedAnchors = [],
|
|
365
|
+
client
|
|
366
|
+
} = opts
|
|
367
|
+
const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
|
|
368
|
+
|
|
369
|
+
if (pemOrDerChain.length === 0) {
|
|
370
|
+
return {
|
|
371
|
+
error: true,
|
|
372
|
+
critical: true,
|
|
373
|
+
message: 'Certificate chain in DER or PEM format must not be empty',
|
|
374
|
+
verificationTime,
|
|
375
|
+
}
|
|
376
|
+
}
|
|
346
377
|
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
|
|
378
|
+
// x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
|
|
379
|
+
const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()
|
|
380
|
+
const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
|
|
381
|
+
defaultCryptoEngine()
|
|
382
|
+
|
|
383
|
+
if (pemOrDerChain.length === 1) {
|
|
384
|
+
const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
|
|
385
|
+
const cert = pemOrDerToX509Certificate(singleCert)
|
|
386
|
+
if (client) {
|
|
387
|
+
const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)
|
|
388
|
+
if (validation.error) {
|
|
389
|
+
return validation
|
|
390
|
+
}
|
|
391
|
+
}
|
|
392
|
+
if (blindlyTrustedAnchors.includes(singleCert)) {
|
|
393
|
+
console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
|
|
394
|
+
return {
|
|
395
|
+
error: false,
|
|
396
|
+
critical: true,
|
|
397
|
+
message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
|
|
398
|
+
verificationTime,
|
|
399
|
+
certificateChain: [await getCertificateInfo(cert)],
|
|
400
|
+
...(client && {client}),
|
|
401
|
+
}
|
|
402
|
+
}
|
|
403
|
+
if (allowSingleNoCAChainElement) {
|
|
404
|
+
const subjectDN = getSubjectDN(cert).DN
|
|
405
|
+
if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {
|
|
406
|
+
const passed = await cert.verify()
|
|
407
|
+
return {
|
|
408
|
+
error: !passed,
|
|
409
|
+
critical: true,
|
|
410
|
+
message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
|
|
411
|
+
verificationTime,
|
|
412
|
+
certificateChain: [await getCertificateInfo(cert)],
|
|
413
|
+
...(client && {client}),
|
|
414
|
+
}
|
|
415
|
+
}
|
|
416
|
+
}
|
|
353
417
|
}
|
|
354
|
-
}
|
|
355
418
|
|
|
356
|
-
|
|
357
|
-
|
|
358
|
-
|
|
359
|
-
|
|
419
|
+
const validationEngine = new CertificateChainValidationEngine({
|
|
420
|
+
certs /!*crls: [crl1], ocsps: [ocsp1], *!/,
|
|
421
|
+
checkDate: verificationTime,
|
|
422
|
+
trustedCerts,
|
|
423
|
+
})
|
|
360
424
|
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
critical: true,
|
|
388
|
-
message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
|
|
389
|
-
verificationTime,
|
|
390
|
-
certificateChain: [await getCertificateInfo(cert)],
|
|
391
|
-
...(client && { client }),
|
|
425
|
+
try {
|
|
426
|
+
const verification = await validationEngine.verify()
|
|
427
|
+
if (!verification.result || !verification.certificatePath) {
|
|
428
|
+
return {
|
|
429
|
+
error: true,
|
|
430
|
+
critical: true,
|
|
431
|
+
message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
|
|
432
|
+
verificationTime,
|
|
433
|
+
...(client && {client}),
|
|
434
|
+
}
|
|
435
|
+
}
|
|
436
|
+
const certPath = verification.certificatePath
|
|
437
|
+
if (client) {
|
|
438
|
+
const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)
|
|
439
|
+
if (clientIdValidation.error) {
|
|
440
|
+
return clientIdValidation
|
|
441
|
+
}
|
|
442
|
+
}
|
|
443
|
+
let certInfos: Array<CertificateInfo> | undefined
|
|
444
|
+
|
|
445
|
+
for (const certificate of certPath) {
|
|
446
|
+
try {
|
|
447
|
+
certInfos?.push(await getCertificateInfo(certificate))
|
|
448
|
+
} catch (e: any) {
|
|
449
|
+
console.log(`Error getting certificate info ${e.message}`)
|
|
450
|
+
}
|
|
392
451
|
}
|
|
393
|
-
}
|
|
394
|
-
}
|
|
395
|
-
}
|
|
396
452
|
|
|
397
|
-
const validationEngine = new CertificateChainValidationEngine({
|
|
398
|
-
certs /*crls: [crl1], ocsps: [ocsp1], */,
|
|
399
|
-
checkDate: verificationTime,
|
|
400
|
-
trustedCerts,
|
|
401
|
-
})
|
|
402
453
|
|
|
403
|
-
|
|
404
|
-
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
}
|
|
420
|
-
}
|
|
421
|
-
const certInfos: Array<CertificateInfo> = await Promise.all(
|
|
422
|
-
certPath.map(async (certificate) => {
|
|
423
|
-
return getCertificateInfo(certificate)
|
|
424
|
-
})
|
|
425
|
-
)
|
|
426
|
-
return {
|
|
427
|
-
error: false,
|
|
428
|
-
critical: false,
|
|
429
|
-
message: `Certificate chain was valid`,
|
|
430
|
-
verificationTime,
|
|
431
|
-
certificateChain: certInfos,
|
|
432
|
-
...(client && { client }),
|
|
433
|
-
}
|
|
434
|
-
} catch (error: any) {
|
|
435
|
-
return {
|
|
436
|
-
error: true,
|
|
437
|
-
critical: true,
|
|
438
|
-
message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
|
|
439
|
-
verificationTime,
|
|
440
|
-
...(client && { client }),
|
|
454
|
+
return {
|
|
455
|
+
error: false,
|
|
456
|
+
critical: false,
|
|
457
|
+
message: `Certificate chain was valid`,
|
|
458
|
+
verificationTime,
|
|
459
|
+
certificateChain: certInfos,
|
|
460
|
+
...(client && {client}),
|
|
461
|
+
}
|
|
462
|
+
} catch (error: any) {
|
|
463
|
+
return {
|
|
464
|
+
error: true,
|
|
465
|
+
critical: true,
|
|
466
|
+
message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
|
|
467
|
+
verificationTime,
|
|
468
|
+
...(client && {client}),
|
|
469
|
+
}
|
|
441
470
|
}
|
|
442
|
-
}
|
|
443
471
|
}
|
|
472
|
+
*/
|
|
444
473
|
|
|
445
474
|
const rdnmap: Record<string, string> = {
|
|
446
475
|
'2.5.4.6': 'C',
|
|
@@ -484,23 +513,34 @@ const getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {
|
|
|
484
513
|
.join(',')
|
|
485
514
|
}
|
|
486
515
|
|
|
487
|
-
export const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<
|
|
516
|
+
export const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {
|
|
488
517
|
const pemOrDerStr =
|
|
489
518
|
typeof pemOrDerCert === 'string'
|
|
490
|
-
? pemOrDerCert
|
|
519
|
+
? u8a.toString(u8a.fromString(pemOrDerCert, 'base64pad'), 'base64pad')
|
|
491
520
|
: pemOrDerCert instanceof Uint8Array
|
|
492
521
|
? u8a.toString(pemOrDerCert, 'base64pad')
|
|
493
|
-
: pemOrDerCert.toString('base64')
|
|
522
|
+
: u8a.toString(u8a.fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad')
|
|
494
523
|
const pem = derToPEM(pemOrDerStr)
|
|
495
524
|
const certificate = pemOrDerToX509Certificate(pem)
|
|
525
|
+
var jwk: JWK | undefined
|
|
496
526
|
try {
|
|
497
527
|
const subtle = getCrypto(true).subtle
|
|
498
|
-
const pk = await certificate.getPublicKey()
|
|
499
|
-
|
|
528
|
+
const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())
|
|
529
|
+
jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined
|
|
500
530
|
} catch (error: any) {
|
|
501
531
|
console.log(`Error in primary get JWK from cert:`, error?.message)
|
|
502
532
|
}
|
|
503
|
-
|
|
533
|
+
if (!jwk) {
|
|
534
|
+
try {
|
|
535
|
+
jwk = (await x509.toJwk(pem, 'pem')) as JWK
|
|
536
|
+
} catch (error: any) {
|
|
537
|
+
console.log(`Error in secondary get JWK from cert as well:`, error?.message)
|
|
538
|
+
}
|
|
539
|
+
}
|
|
540
|
+
if (!jwk) {
|
|
541
|
+
throw Error(`Failed to get JWK from certificate ${pem}`)
|
|
542
|
+
}
|
|
543
|
+
return jwk
|
|
504
544
|
}
|
|
505
545
|
|
|
506
546
|
/**
|