@sphereon/ssi-sdk-ext.x509-utils 0.28.1-feature.esm.cjs.8 → 0.28.1-feature.oyd.cmsm.improv.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/index.d.ts +5 -171
  2. package/dist/index.d.ts.map +1 -0
  3. package/dist/index.js +21 -749
  4. package/dist/index.js.map +1 -1
  5. package/dist/types/index.d.ts +14 -0
  6. package/dist/types/index.d.ts.map +1 -0
  7. package/dist/types/index.js +9 -0
  8. package/dist/types/index.js.map +1 -0
  9. package/dist/x509/crypto.d.ts +2 -0
  10. package/dist/x509/crypto.d.ts.map +1 -0
  11. package/dist/x509/crypto.js +28 -0
  12. package/dist/x509/crypto.js.map +1 -0
  13. package/dist/x509/index.d.ts +5 -0
  14. package/dist/x509/index.d.ts.map +1 -0
  15. package/dist/x509/index.js +21 -0
  16. package/dist/x509/index.js.map +1 -0
  17. package/dist/x509/rsa-key.d.ts +10 -0
  18. package/dist/x509/rsa-key.d.ts.map +1 -0
  19. package/dist/x509/rsa-key.js +102 -0
  20. package/dist/x509/rsa-key.js.map +1 -0
  21. package/dist/x509/rsa-signer.d.ts +24 -0
  22. package/dist/x509/rsa-signer.d.ts.map +1 -0
  23. package/dist/x509/rsa-signer.js +105 -0
  24. package/dist/x509/rsa-signer.js.map +1 -0
  25. package/dist/x509/x509-utils.d.ts +31 -0
  26. package/dist/x509/x509-utils.d.ts.map +1 -0
  27. package/dist/x509/x509-utils.js +215 -0
  28. package/dist/x509/x509-utils.js.map +1 -0
  29. package/dist/x509/x509-validator.d.ts +97 -0
  30. package/dist/x509/x509-validator.d.ts.map +1 -0
  31. package/dist/x509/x509-validator.js +489 -0
  32. package/dist/x509/x509-validator.js.map +1 -0
  33. package/package.json +12 -24
  34. package/src/x509/crypto.ts +5 -11
  35. package/src/x509/rsa-key.ts +2 -7
  36. package/src/x509/rsa-signer.ts +5 -10
  37. package/src/x509/x509-utils.ts +5 -9
  38. package/src/x509/x509-validator.ts +4 -8
  39. package/dist/index.cjs +0 -776
  40. package/dist/index.cjs.map +0 -1
  41. package/dist/index.d.cts +0 -173
package/dist/x509/x509-validator.js ADDED
@@ -0,0 +1,489 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || function (mod) {
19
+ if (mod && mod.__esModule) return mod;
20
+ var result = {};
21
+ if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
22
+ __setModuleDefault(result, mod);
23
+ return result;
24
+ };
25
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
26
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
27
+ return new (P || (P = Promise))(function (resolve, reject) {
28
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
29
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
30
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
31
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
32
+ });
33
+ };
34
+ var __importDefault = (this && this.__importDefault) || function (mod) {
35
+ return (mod && mod.__esModule) ? mod : { "default": mod };
36
+ };
37
+ Object.defineProperty(exports, "__esModule", { value: true });
38
+ exports.getSubjectAlternativeNames = exports.validateCertificateChainMatchesClientIdScheme = exports.assertCertificateMatchesClientIdScheme = exports.SubjectAlternativeGeneralName = exports.getCertificateSubjectPublicKeyJWK = exports.getSubjectDN = exports.getIssuerDN = exports.parseCertificate = exports.getX509AlgorithmProvider = exports.validateX509CertificateChain = exports.getCertificateInfo = void 0;
39
+ const asn1_schema_1 = require("@peculiar/asn1-schema");
40
+ const asn1_x509_1 = require("@peculiar/asn1-x509");
41
+ const x509_1 = require("@peculiar/x509");
42
+ const js_x509_utils_1 = __importDefault(require("js-x509-utils"));
43
+ const pkijs_1 = require("pkijs");
44
+ const tsyringe_1 = require("tsyringe");
45
+ const u8a = __importStar(require("uint8arrays"));
46
+ const crypto_1 = require("./crypto");
47
+ const x509_utils_1 = require("./x509-utils");
48
+ const defaultCryptoEngine = () => {
49
+ const name = 'crypto';
50
+ (0, pkijs_1.setEngine)(name, new pkijs_1.CryptoEngine({ name, crypto: (0, crypto_1.globalCrypto)(false) }));
51
+ return (0, pkijs_1.getCrypto)(true);
52
+ };
53
+ const getCertificateInfo = (certificate, opts) => __awaiter(void 0, void 0, void 0, function* () {
54
+ let publicKeyJWK;
55
+ try {
56
+ publicKeyJWK = (yield (0, exports.getCertificateSubjectPublicKeyJWK)(certificate));
57
+ }
58
+ catch (e) { }
59
+ return {
60
+ issuer: { dn: (0, exports.getIssuerDN)(certificate) },
61
+ subject: {
62
+ dn: (0, exports.getSubjectDN)(certificate),
63
+ subjectAlternativeNames: (0, exports.getSubjectAlternativeNames)(certificate, { typeFilter: opts === null || opts === void 0 ? void 0 : opts.sanTypeFilter }),
64
+ },
65
+ publicKeyJWK,
66
+ notBefore: certificate.notBefore.value,
67
+ notAfter: certificate.notAfter.value,
68
+ // certificate
69
+ };
70
+ });
71
+ exports.getCertificateInfo = getCertificateInfo;
72
+ const validateX509CertificateChain = (_a) => __awaiter(void 0, [_a], void 0, function* ({ chain: pemOrDerChain, trustAnchors, verificationTime = new Date(), opts = {
73
+ // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
74
+ allowNoTrustAnchorsFound: false,
75
+ trustRootWhenNoAnchors: false,
76
+ allowSingleNoCAChainElement: true,
77
+ blindlyTrustedAnchors: [],
78
+ disallowReversedChain: false,
79
+ }, }) {
80
+ // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain
81
+ return yield validateX509CertificateChainImpl({
82
+ reversed: false,
83
+ chain: [...pemOrDerChain].reverse(),
84
+ trustAnchors,
85
+ verificationTime,
86
+ opts,
87
+ });
88
+ });
89
+ exports.validateX509CertificateChain = validateX509CertificateChain;
90
+ const validateX509CertificateChainImpl = (_a) => __awaiter(void 0, [_a], void 0, function* ({ reversed, chain: pemOrDerChain, trustAnchors, verificationTime: verifyAt, opts, }) {
91
+ var _b, _c, _d, _e, _f;
92
+ const verificationTime = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt;
93
+ const { allowNoTrustAnchorsFound = false, trustRootWhenNoAnchors = false, allowSingleNoCAChainElement = true, blindlyTrustedAnchors = [], disallowReversedChain = false, client, } = opts;
94
+ const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors;
95
+ if (pemOrDerChain.length === 0) {
96
+ return {
97
+ error: true,
98
+ critical: true,
99
+ message: 'Certificate chain in DER or PEM format must not be empty',
100
+ verificationTime,
101
+ };
102
+ }
103
+ defaultCryptoEngine();
104
+ // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered
105
+ const chain = yield Promise.all(pemOrDerChain.map((raw) => (0, exports.parseCertificate)(raw)));
106
+ const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse();
107
+ const trustedCerts = trustedPEMs ? yield Promise.all(trustedPEMs.map((raw) => (0, exports.parseCertificate)(raw))) : undefined;
108
+ const blindlyTrusted = (_b = (yield Promise.all(blindlyTrustedAnchors.map((raw) => {
109
+ try {
110
+ return (0, exports.parseCertificate)(raw);
111
+ }
112
+ catch (e) {
113
+ // @ts-ignore
114
+ console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`);
115
+ return undefined;
116
+ }
117
+ }))).filter((cert) => cert !== undefined)) !== null && _b !== void 0 ? _b : [];
118
+ const leafCert = x5cOrdereredChain[0];
119
+ const chainLength = chain.length;
120
+ var foundTrustAnchor = undefined;
121
+ for (let i = 0; i < chainLength; i++) {
122
+ const currentCert = chain[i];
123
+ const previousCert = i > 0 ? chain[i - 1] : undefined;
124
+ const blindlyTrustedCert = blindlyTrusted.find((trusted) => (0, x509_utils_1.areCertificatesEqual)(trusted.certificate, currentCert.certificate));
125
+ if (blindlyTrustedCert) {
126
+ console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`);
127
+ return Object.assign({ error: false, critical: false, message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`, detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`, trustAnchor: blindlyTrustedCert === null || blindlyTrustedCert === void 0 ? void 0 : blindlyTrustedCert.certificateInfo, verificationTime, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo) }, (client && { client }));
128
+ }
129
+ if (previousCert) {
130
+ if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {
131
+ if (!reversed && !disallowReversedChain) {
132
+ return yield validateX509CertificateChainImpl({
133
+ reversed: true,
134
+ chain: [...pemOrDerChain].reverse(),
135
+ opts,
136
+ verificationTime,
137
+ trustAnchors,
138
+ });
139
+ }
140
+ return Object.assign({ error: true, critical: true, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.certificateInfo.subject.dn.DN} with subject string ${previousCert === null || previousCert === void 0 ? void 0 : previousCert.x509Certificate.subject}.`, verificationTime }, (client && { client }));
141
+ }
142
+ }
143
+ const result = yield currentCert.x509Certificate.verify({
144
+ date: verificationTime,
145
+ publicKey: (_c = previousCert === null || previousCert === void 0 ? void 0 : previousCert.x509Certificate) === null || _c === void 0 ? void 0 : _c.publicKey,
146
+ }, (_f = (_e = (_d = (0, pkijs_1.getCrypto)()) === null || _d === void 0 ? void 0 : _d.crypto) !== null && _e !== void 0 ? _e : crypto) !== null && _f !== void 0 ? _f : global.crypto);
147
+ if (!result) {
148
+ // First cert needs to be self signed
149
+ if (i == 0 && !reversed && !disallowReversedChain) {
150
+ return yield validateX509CertificateChainImpl({
151
+ reversed: true,
152
+ chain: [...pemOrDerChain].reverse(),
153
+ opts,
154
+ verificationTime,
155
+ trustAnchors,
156
+ });
157
+ }
158
+ return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer} failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`, verificationTime }, (client && { client }));
159
+ }
160
+ foundTrustAnchor = foundTrustAnchor !== null && foundTrustAnchor !== void 0 ? foundTrustAnchor : trustedCerts === null || trustedCerts === void 0 ? void 0 : trustedCerts.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate));
161
+ if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {
162
+ return Object.assign({ error: false, critical: false, message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), trustAnchor: foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo, verificationTime }, (client && { client }));
163
+ }
164
+ }
165
+ if ((foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo) || allowNoTrustAnchorsFound) {
166
+ return Object.assign({ error: false, critical: false, message: `Certificate chain was valid`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: foundTrustAnchor
167
+ ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo.subject.dn.DN}.`
168
+ : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`, trustAnchor: foundTrustAnchor === null || foundTrustAnchor === void 0 ? void 0 : foundTrustAnchor.certificateInfo, verificationTime }, (client && { client }));
169
+ }
170
+ return Object.assign({ error: true, critical: true, message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`, certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo), detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN} and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`, verificationTime }, (client && { client }));
171
+ });
172
+ const isSameCertificate = (cert1, cert2) => {
173
+ return cert1.rawData.toString() === cert2.rawData.toString();
174
+ };
175
+ const algorithmProvider = tsyringe_1.container.resolve(x509_1.AlgorithmProvider);
176
+ const getX509AlgorithmProvider = () => {
177
+ return algorithmProvider;
178
+ };
179
+ exports.getX509AlgorithmProvider = getX509AlgorithmProvider;
180
+ const parseCertificate = (rawCert) => __awaiter(void 0, void 0, void 0, function* () {
181
+ const x509Certificate = new x509_1.X509Certificate(rawCert);
182
+ const publicKeyInfo = asn1_schema_1.AsnParser.parse(x509Certificate.publicKey.rawData, asn1_x509_1.SubjectPublicKeyInfo);
183
+ const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey);
184
+ let publicKeyJwk = undefined;
185
+ try {
186
+ publicKeyJwk = (yield (0, exports.getCertificateSubjectPublicKeyJWK)(new Uint8Array(x509Certificate.rawData)));
187
+ }
188
+ catch (e) {
189
+ console.error(e.message);
190
+ }
191
+ const certificate = (0, x509_utils_1.pemOrDerToX509Certificate)(rawCert);
192
+ const certificateInfo = yield (0, exports.getCertificateInfo)(certificate);
193
+ const publicKeyAlgorithm = (0, exports.getX509AlgorithmProvider)().toWebAlgorithm(publicKeyInfo.algorithm);
194
+ return {
195
+ publicKeyAlgorithm,
196
+ publicKeyInfo,
197
+ publicKeyJwk,
198
+ publicKeyRaw,
199
+ certificateInfo,
200
+ certificate,
201
+ x509Certificate,
202
+ };
203
+ });
204
+ exports.parseCertificate = parseCertificate;
205
+ /*
206
+
207
+ /!**
208
+ *
209
+ * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
210
+ * @param trustedPEMs
211
+ * @param verificationTime
212
+ * @param opts
213
+ *!/
214
+ export const validateX509CertificateChainOrg = async ({
215
+ chain: pemOrDerChain,
216
+ trustAnchors,
217
+ verificationTime = new Date(),
218
+ opts = {
219
+ trustRootWhenNoAnchors: false,
220
+ allowSingleNoCAChainElement: true,
221
+ blindlyTrustedAnchors: [],
222
+ },
223
+ }: {
224
+ chain: (Uint8Array | string)[]
225
+ trustAnchors?: string[]
226
+ verificationTime?: Date
227
+ opts?: X509CertificateChainValidationOpts
228
+ }): Promise<X509ValidationResult> => {
229
+ const {
230
+ trustRootWhenNoAnchors = false,
231
+ allowSingleNoCAChainElement = true,
232
+ blindlyTrustedAnchors = [],
233
+ client
234
+ } = opts
235
+ const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
236
+
237
+ if (pemOrDerChain.length === 0) {
238
+ return {
239
+ error: true,
240
+ critical: true,
241
+ message: 'Certificate chain in DER or PEM format must not be empty',
242
+ verificationTime,
243
+ }
244
+ }
245
+
246
+ // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
247
+ const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()
248
+ const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
249
+ defaultCryptoEngine()
250
+
251
+ if (pemOrDerChain.length === 1) {
252
+ const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
253
+ const cert = pemOrDerToX509Certificate(singleCert)
254
+ if (client) {
255
+ const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)
256
+ if (validation.error) {
257
+ return validation
258
+ }
259
+ }
260
+ if (blindlyTrustedAnchors.includes(singleCert)) {
261
+ console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
262
+ return {
263
+ error: false,
264
+ critical: true,
265
+ message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
266
+ verificationTime,
267
+ certificateChain: [await getCertificateInfo(cert)],
268
+ ...(client && {client}),
269
+ }
270
+ }
271
+ if (allowSingleNoCAChainElement) {
272
+ const subjectDN = getSubjectDN(cert).DN
273
+ if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {
274
+ const passed = await cert.verify()
275
+ return {
276
+ error: !passed,
277
+ critical: true,
278
+ message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
279
+ verificationTime,
280
+ certificateChain: [await getCertificateInfo(cert)],
281
+ ...(client && {client}),
282
+ }
283
+ }
284
+ }
285
+ }
286
+
287
+ const validationEngine = new CertificateChainValidationEngine({
288
+ certs /!*crls: [crl1], ocsps: [ocsp1], *!/,
289
+ checkDate: verificationTime,
290
+ trustedCerts,
291
+ })
292
+
293
+ try {
294
+ const verification = await validationEngine.verify()
295
+ if (!verification.result || !verification.certificatePath) {
296
+ return {
297
+ error: true,
298
+ critical: true,
299
+ message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
300
+ verificationTime,
301
+ ...(client && {client}),
302
+ }
303
+ }
304
+ const certPath = verification.certificatePath
305
+ if (client) {
306
+ const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)
307
+ if (clientIdValidation.error) {
308
+ return clientIdValidation
309
+ }
310
+ }
311
+ let certInfos: Array<CertificateInfo> | undefined
312
+
313
+ for (const certificate of certPath) {
314
+ try {
315
+ certInfos?.push(await getCertificateInfo(certificate))
316
+ } catch (e: any) {
317
+ console.log(`Error getting certificate info ${e.message}`)
318
+ }
319
+ }
320
+
321
+
322
+ return {
323
+ error: false,
324
+ critical: false,
325
+ message: `Certificate chain was valid`,
326
+ verificationTime,
327
+ certificateChain: certInfos,
328
+ ...(client && {client}),
329
+ }
330
+ } catch (error: any) {
331
+ return {
332
+ error: true,
333
+ critical: true,
334
+ message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
335
+ verificationTime,
336
+ ...(client && {client}),
337
+ }
338
+ }
339
+ }
340
+ */
341
+ const rdnmap = {
342
+ '2.5.4.6': 'C',
343
+ '2.5.4.10': 'O',
344
+ '2.5.4.11': 'OU',
345
+ '2.5.4.3': 'CN',
346
+ '2.5.4.7': 'L',
347
+ '2.5.4.8': 'ST',
348
+ '2.5.4.12': 'T',
349
+ '2.5.4.42': 'GN',
350
+ '2.5.4.43': 'I',
351
+ '2.5.4.4': 'SN',
352
+ '1.2.840.113549.1.9.1': 'E-mail',
353
+ };
354
+ const getIssuerDN = (cert) => {
355
+ return {
356
+ DN: getDNString(cert.issuer.typesAndValues),
357
+ attributes: getDNObject(cert.issuer.typesAndValues),
358
+ };
359
+ };
360
+ exports.getIssuerDN = getIssuerDN;
361
+ const getSubjectDN = (cert) => {
362
+ return {
363
+ DN: getDNString(cert.subject.typesAndValues),
364
+ attributes: getDNObject(cert.subject.typesAndValues),
365
+ };
366
+ };
367
+ exports.getSubjectDN = getSubjectDN;
368
+ const getDNObject = (typesAndValues) => {
369
+ var _a;
370
+ const DN = {};
371
+ for (const typeAndValue of typesAndValues) {
372
+ const type = (_a = rdnmap[typeAndValue.type]) !== null && _a !== void 0 ? _a : typeAndValue.type;
373
+ DN[type] = typeAndValue.value.getValue();
374
+ }
375
+ return DN;
376
+ };
377
+ const getDNString = (typesAndValues) => {
378
+ return Object.entries(getDNObject(typesAndValues))
379
+ .map(([key, value]) => `${key}=${value}`)
380
+ .join(',');
381
+ };
382
+ const getCertificateSubjectPublicKeyJWK = (pemOrDerCert) => __awaiter(void 0, void 0, void 0, function* () {
383
+ const pemOrDerStr = typeof pemOrDerCert === 'string'
384
+ ? u8a.toString(u8a.fromString(pemOrDerCert, 'base64pad'), 'base64pad')
385
+ : pemOrDerCert instanceof Uint8Array
386
+ ? u8a.toString(pemOrDerCert, 'base64pad')
387
+ : u8a.toString(u8a.fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad');
388
+ const pem = (0, x509_utils_1.derToPEM)(pemOrDerStr);
389
+ const certificate = (0, x509_utils_1.pemOrDerToX509Certificate)(pem);
390
+ var jwk;
391
+ try {
392
+ const subtle = (0, pkijs_1.getCrypto)(true).subtle;
393
+ const pk = yield certificate.getPublicKey(undefined, defaultCryptoEngine());
394
+ jwk = (yield subtle.exportKey('jwk', pk));
395
+ }
396
+ catch (error) {
397
+ console.log(`Error in primary get JWK from cert:`, error === null || error === void 0 ? void 0 : error.message);
398
+ }
399
+ if (!jwk) {
400
+ try {
401
+ jwk = (yield js_x509_utils_1.default.toJwk(pem, 'pem'));
402
+ }
403
+ catch (error) {
404
+ console.log(`Error in secondary get JWK from cert as well:`, error === null || error === void 0 ? void 0 : error.message);
405
+ }
406
+ }
407
+ if (!jwk) {
408
+ throw Error(`Failed to get JWK from certificate ${pem}`);
409
+ }
410
+ return jwk;
411
+ });
412
+ exports.getCertificateSubjectPublicKeyJWK = getCertificateSubjectPublicKeyJWK;
413
+ /**
414
+ * otherName [0] OtherName,
415
+ * rfc822Name [1] IA5String,
416
+ * dNSName [2] IA5String,
417
+ * x400Address [3] ORAddress,
418
+ * directoryName [4] Name,
419
+ * ediPartyName [5] EDIPartyName,
420
+ * uniformResourceIdentifier [6] IA5String,
421
+ * iPAddress [7] OCTET STRING,
422
+ * registeredID [8] OBJECT IDENTIFIER }
423
+ */
424
+ var SubjectAlternativeGeneralName;
425
+ (function (SubjectAlternativeGeneralName) {
426
+ SubjectAlternativeGeneralName[SubjectAlternativeGeneralName["rfc822Name"] = 1] = "rfc822Name";
427
+ SubjectAlternativeGeneralName[SubjectAlternativeGeneralName["dnsName"] = 2] = "dnsName";
428
+ SubjectAlternativeGeneralName[SubjectAlternativeGeneralName["uniformResourceIdentifier"] = 6] = "uniformResourceIdentifier";
429
+ SubjectAlternativeGeneralName[SubjectAlternativeGeneralName["ipAddress"] = 7] = "ipAddress";
430
+ })(SubjectAlternativeGeneralName || (exports.SubjectAlternativeGeneralName = SubjectAlternativeGeneralName = {}));
431
+ const assertCertificateMatchesClientIdScheme = (certificate, clientId, clientIdScheme) => {
432
+ const sans = (0, exports.getSubjectAlternativeNames)(certificate, { clientIdSchemeFilter: clientIdScheme });
433
+ const clientIdMatches = sans.find((san) => san.value === clientId);
434
+ if (!clientIdMatches) {
435
+ throw Error(`Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${(0, exports.getSubjectDN)(certificate).DN}. SANS: ${sans.map((san) => san.value).join(',')}`);
436
+ }
437
+ };
438
+ exports.assertCertificateMatchesClientIdScheme = assertCertificateMatchesClientIdScheme;
439
+ const validateCertificateChainMatchesClientIdScheme = (certificate, clientId, clientIdScheme) => __awaiter(void 0, void 0, void 0, function* () {
440
+ const result = {
441
+ error: true,
442
+ critical: true,
443
+ message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,
444
+ client: {
445
+ clientId,
446
+ clientIdScheme,
447
+ },
448
+ certificateChain: [yield (0, exports.getCertificateInfo)(certificate)],
449
+ verificationTime: new Date(),
450
+ };
451
+ try {
452
+ (0, exports.assertCertificateMatchesClientIdScheme)(certificate, clientId, clientIdScheme);
453
+ }
454
+ catch (error) {
455
+ return result;
456
+ }
457
+ result.error = false;
458
+ result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`;
459
+ return result;
460
+ });
461
+ exports.validateCertificateChainMatchesClientIdScheme = validateCertificateChainMatchesClientIdScheme;
462
+ const getSubjectAlternativeNames = (certificate, opts) => {
463
+ var _a, _b;
464
+ let typeFilter;
465
+ if (opts === null || opts === void 0 ? void 0 : opts.clientIdSchemeFilter) {
466
+ typeFilter =
467
+ opts.clientIdSchemeFilter === 'x509_san_dns'
468
+ ? [SubjectAlternativeGeneralName.dnsName]
469
+ : [SubjectAlternativeGeneralName.uniformResourceIdentifier];
470
+ }
471
+ else if (opts === null || opts === void 0 ? void 0 : opts.typeFilter) {
472
+ typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [opts.typeFilter];
473
+ }
474
+ else {
475
+ typeFilter = [SubjectAlternativeGeneralName.dnsName, SubjectAlternativeGeneralName.uniformResourceIdentifier];
476
+ }
477
+ const parsedValue = (_b = (_a = certificate.extensions) === null || _a === void 0 ? void 0 : _a.find((ext) => ext.extnID === pkijs_1.id_SubjectAltName)) === null || _b === void 0 ? void 0 : _b.parsedValue;
478
+ if (!parsedValue) {
479
+ return [];
480
+ }
481
+ const altNames = parsedValue.toJSON().altNames;
482
+ return altNames
483
+ .filter((altName) => typeFilter.includes(altName.type))
484
+ .map((altName) => {
485
+ return { type: altName.type, value: altName.value };
486
+ });
487
+ };
488
+ exports.getSubjectAlternativeNames = getSubjectAlternativeNames;
489
+ //# sourceMappingURL=x509-validator.js.map
package/dist/x509/x509-validator.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"x509-validator.js","sourceRoot":"","sources":["../../src/x509/x509-validator.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uDAAiD;AACjD,mDAA0D;AAC1D,yCAAmE;AAGnE,kEAAgC;AAChC,iCAA0H;AAC1H,uCAAoC;AACpC,iDAAkC;AAClC,qCAAuC;AACvC,6CAAwF;AAoCxF,MAAM,mBAAmB,GAAG,GAAG,EAAE;IAC/B,MAAM,IAAI,GAAG,QAAQ,CAAA;IACrB,IAAA,iBAAS,EAAC,IAAI,EAAE,IAAI,oBAAY,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAA,qBAAY,EAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAA;IACxE,OAAO,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAA;AACxB,CAAC,CAAA;AAEM,MAAM,kBAAkB,GAAG,CAChC,WAAwB,EACxB,IAEC,EACyB,EAAE;IAC5B,IAAI,YAA6B,CAAA;IACjC,IAAI,CAAC;QACH,YAAY,GAAG,CAAC,MAAM,IAAA,yCAAiC,EAAC,WAAW,CAAC,CAAQ,CAAA;IAC9E,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IACd,OAAO;QACL,MAAM,EAAE,EAAE,EAAE,EAAE,IAAA,mBAAW,EAAC,WAAW,CAAC,EAAE;QACxC,OAAO,EAAE;YACP,EAAE,EAAE,IAAA,oBAAY,EAAC,WAAW,CAAC;YAC7B,uBAAuB,EAAE,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,UAAU,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,aAAa,EAAE,CAAC;SACtG;QACD,YAAY;QACZ,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK;QACtC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,KAAK;QACpC,cAAc;KACW,CAAA;AAC7B,CAAC,CAAA,CAAA;AArBY,QAAA,kBAAkB,sBAqB9B;AAuBM,MAAM,4BAA4B,GAAG,KAiBV,EAAE,4CAjBe,EACjD,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,GAAG,IAAI,IAAI,EAAE,EAC7B,IAAI,GAAG;IACL,4FAA4F;IAC5F,wBAAwB,EAAE,KAAK;IAC/B,sBAAsB,EAAE,KAAK;IAC7B,2BAA2B,EAAE,IAAI;IACjC,qBAAqB,EAAE,EAAE;IACzB,qBAAqB,EAAE,KAAK;CAC7B,GAMF;IACC,+KAA+K;IAC/K,OAAO,MAAM,gCAAgC,CAAC;QAC5C,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;QACnC,YAAY;QACZ,gBAAgB;QAChB,IAAI;KACL,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AA1BY,QAAA,4BAA4B,gCA0BxC;AACD,MAAM,gCAAgC,GAAG,KAYP,EAAE,4CAZY,EAC9C,QAAQ,EACR,KAAK,EAAE,aAAa,EACpB,YAAY,EACZ,gBAAgB,EAAE,QAAQ,EAC1B,IAAI,GAOL;;IACC,MAAM,gBAAgB,GAAS,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC3F,MAAM,EACJ,wBAAwB,GAAG,KAAK,EAChC,sBAAsB,GAAG,KAAK,EAC9B,2BAA2B,GAAG,IAAI,EAClC,qBAAqB,GAAG,EAAE,EAC1B,qBAAqB,GAAG,KAAK,EAC7B,MAAM,GACP,GAAG,IAAI,CAAA;IACR,MAAM,WAAW,GAAG,sBAAsB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAA;IAEtH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,0DAA0D;YACnE,gBAAgB;SACjB,CAAA;IACH,CAAC;IACD,mBAAmB,EAAE,CAAA;IAErB,yLAAyL;IACzL,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IAClF,MAAM,iBAAiB,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,EAAE,CAAA;IAEtE,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACjH,MAAM,cAAc,GAClB,MAAA,CACE,MAAM,OAAO,CAAC,GAAG,CACf,qBAAqB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAChC,IAAI,CAAC;YACH,OAAO,IAAA,wBAAgB,EAAC,GAAG,CAAC,CAAA;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,aAAa;YACb,OAAO,CAAC,GAAG,CAAC,+CAA+C,GAAG,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACtF,OAAO,SAAS,CAAA;QAClB,CAAC;IACH,CAAC,CAAC,CACH,CACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA6B,EAAE,CAAC,IAAI,KAAK,SAAS,CAAC,mCAAI,EAAE,CAAA;IACzE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAA;IAErC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAA;IAChC,IAAI,gBAAgB,GAAkC,SAAS,CAAA;IAC/D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACrD,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,iCAAoB,EAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/H,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,iHAAiH,CAAC,CAAA;YAC9H,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,iHAAiH,EAC1H,aAAa,EAAE,+BAA+B,kBAAkB,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,0BAA0B,EACxH,WAAW,EAAE,kBAAkB,aAAlB,kBAAkB,uBAAlB,kBAAkB,CAAE,eAAe,EAChD,gBAAgB,EAChB,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,IACpE,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,WAAW,CAAC,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAChF,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;oBACxC,OAAO,MAAM,gCAAgC,CAAC;wBAC5C,QAAQ,EAAE,IAAI;wBACd,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;wBACnC,IAAI;wBACJ,gBAAgB;wBAChB,YAAY;qBACb,CAAC,CAAA;gBACJ,CAAC;gBACD,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,aAAa,EAAE,mBAAmB,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,WAAW,CAAC,eAAe,CAAC,MAAM,+CAA+C,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,wBAAwB,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,CAAC,OAAO,GAAG,EACvR,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;YACH,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,eAAe,CAAC,MAAM,CACrD;YACE,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,eAAe,0CAAE,SAAS;SACpD,EACD,MAAA,MAAA,MAAA,IAAA,iBAAS,GAAE,0CAAE,MAAM,mCAAI,MAAM,mCAAI,MAAM,CAAC,MAAM,CAC/C,CAAA;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAClD,OAAO,MAAM,gCAAgC,CAAC;oBAC5C,QAAQ,EAAE,IAAI;oBACd,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,OAAO,EAAE;oBACnC,IAAI;oBACJ,gBAAgB;oBAChB,YAAY;iBACb,CAAC,CAAA;YACJ,CAAC;YAED,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,mCAAmC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBACzF,WAAW,CAAC,eAAe,CAAC,MAC9B,wBAAwB,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,eAAe,CAAC,YAAY,CAAC,GAAG,EACnF,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;QAED,gBAAgB,GAAG,gBAAgB,aAAhB,gBAAgB,cAAhB,gBAAgB,GAAI,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,CAAC,eAAe,CAAC,CAAC,CAAA;QAE/I,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,2BAA2B,EAAE,CAAC;YAChE,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,uEAAuE,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EACzH,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAA,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,KAAI,wBAAwB,EAAE,CAAC;QAClE,uBACE,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,KAAK,EACf,OAAO,EAAE,6BAA6B,EACtC,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,gBAAgB;gBAC7B,CAAC,CAAC,wBAAwB,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,yCAAyC,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG;gBAC3J,CAAC,CAAC,wBAAwB,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,kHAAkH,wBAAwB,KAAK,EACjN,WAAW,EAAE,gBAAgB,aAAhB,gBAAgB,uBAAhB,gBAAgB,CAAE,eAAe,EAC9C,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;IACH,CAAC;IAED,uBACE,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,IAAI,EACd,OAAO,EAAE,2CAA2C,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAC7F,gBAAgB,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EACvE,aAAa,EAAE,qEACb,iBAAiB,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EACjE,aAAa,iBAAiB,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,GAAG,EAClE,gBAAgB,IACb,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,CAAC,EAC1B;AACH,CAAC,CAAA,CAAA;AAED,MAAM,iBAAiB,GAAG,CAAC,KAAsB,EAAE,KAAsB,EAAW,EAAE;IACpF,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAA;AAC9D,CAAC,CAAA;AAED,MAAM,iBAAiB,GAAsB,oBAAS,CAAC,OAAO,CAAC,wBAAiB,CAAC,CAAA;AAC1E,MAAM,wBAAwB,GAAG,GAAsB,EAAE;IAC9D,OAAO,iBAAiB,CAAA;AAC1B,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC;AAYM,MAAM,gBAAgB,GAAG,CAAO,OAA4B,EAA8B,EAAE;IACjG,MAAM,eAAe,GAAG,IAAI,sBAAe,CAAC,OAAO,CAAC,CAAA;IACpD,MAAM,aAAa,GAAG,uBAAS,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,gCAAoB,CAAC,CAAA;IAC9F,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAA;IACnE,IAAI,YAAY,GAAoB,SAAS,CAAA;IAC7C,IAAI,CAAC;QACH,YAAY,GAAG,CAAC,MAAM,IAAA,yCAAiC,EAAC,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAQ,CAAA;IAC1G,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;IAC1B,CAAC;IACD,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,OAAO,CAAC,CAAA;IACtD,MAAM,eAAe,GAAG,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAA;IAC7D,MAAM,kBAAkB,GAAG,IAAA,gCAAwB,GAAE,CAAC,cAAc,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;IAC7F,OAAO;QACL,kBAAkB;QAClB,aAAa;QACb,YAAY;QACZ,YAAY;QACZ,eAAe;QACf,WAAW;QACX,eAAe;KAChB,CAAA;AACH,CAAC,CAAA,CAAA;AAtBY,QAAA,gBAAgB,oBAsB5B;AACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuIE;AAEF,MAAM,MAAM,GAA2B;IACrC,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,SAAS,EAAE,IAAI;IACf,SAAS,EAAE,GAAG;IACd,SAAS,EAAE,IAAI;IACf,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;IAChB,UAAU,EAAE,GAAG;IACf,SAAS,EAAE,IAAI;IACf,sBAAsB,EAAE,QAAQ;CACjC,CAAA;AAEM,MAAM,WAAW,GAAG,CAAC,IAAiB,EAAU,EAAE;IACvD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAC3C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;KACpD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,WAAW,eAKvB;AAEM,MAAM,YAAY,GAAG,CAAC,IAAiB,EAAU,EAAE;IACxD,OAAO;QACL,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;KACrD,CAAA;AACH,CAAC,CAAA;AALY,QAAA,YAAY,gBAKxB;AAED,MAAM,WAAW,GAAG,CAAC,cAAuC,EAA0B,EAAE;;IACtF,MAAM,EAAE,GAA2B,EAAE,CAAA;IACrC,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAA,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,mCAAI,YAAY,CAAC,IAAI,CAAA;QAC3D,EAAE,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC,CAAA;AACD,MAAM,WAAW,GAAG,CAAC,cAAuC,EAAU,EAAE;IACtE,OAAO,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;SAC/C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;SACxC,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC,CAAA;AAEM,MAAM,iCAAiC,GAAG,CAAO,YAA+C,EAAgB,EAAE;IACvH,MAAM,WAAW,GACf,OAAO,YAAY,KAAK,QAAQ;QAC9B,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,WAAW,CAAC;QACtE,CAAC,CAAC,YAAY,YAAY,UAAU;YACpC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC;YACzC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,WAAW,CAAC,EAAE,WAAW,CAAC,CAAA;IAC7F,MAAM,GAAG,GAAG,IAAA,qBAAQ,EAAC,WAAW,CAAC,CAAA;IACjC,MAAM,WAAW,GAAG,IAAA,sCAAyB,EAAC,GAAG,CAAC,CAAA;IAClD,IAAI,GAAoB,CAAA;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,iBAAS,EAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACrC,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,YAAY,CAAC,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAA;QAC3E,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,CAAoB,CAAA;IAC9D,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,CAAC;YACH,GAAG,GAAG,CAAC,MAAM,uBAAI,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAQ,CAAA;QAC7C,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,+CAA+C,EAAE,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,CAAC,CAAA;QAC9E,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,KAAK,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;IAC1D,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA,CAAA;AA5BY,QAAA,iCAAiC,qCA4B7C;AAED;;;;;;;;;;GAUG;AACH,IAAY,6BAKX;AALD,WAAY,6BAA6B;IACvC,6FAAc,CAAA;IACd,uFAAW,CAAA;IACX,2HAA6B,CAAA;IAC7B,2FAAa,CAAA;AACf,CAAC,EALW,6BAA6B,6CAA7B,6BAA6B,QAKxC;AASM,MAAM,sCAAsC,GAAG,CAAC,WAAwB,EAAE,QAAgB,EAAE,cAA8B,EAAQ,EAAE;IACzI,MAAM,IAAI,GAAG,IAAA,kCAA0B,EAAC,WAAW,EAAE,EAAE,oBAAoB,EAAE,cAAc,EAAE,CAAC,CAAA;IAC9F,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAA;IAClE,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,KAAK,CACT,oBAAoB,cAAc,0EAChC,IAAA,oBAAY,EAAC,WAAW,CAAC,CAAC,EAC5B,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACpD,CAAA;IACH,CAAC;AACH,CAAC,CAAA;AAVY,QAAA,sCAAsC,0CAUlD;AAEM,MAAM,6CAA6C,GAAG,CAC3D,WAAwB,EACxB,QAAgB,EAChB,cAA8B,EACC,EAAE;IACjC,MAAM,MAAM,GAAG;QACb,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,aAAa,QAAQ,gDAAgD,cAAc,EAAE;QAC9F,MAAM,EAAE;YACN,QAAQ;YACR,cAAc;SACf;QACD,gBAAgB,EAAE,CAAC,MAAM,IAAA,0BAAkB,EAAC,WAAW,CAAC,CAAC;QACzD,gBAAgB,EAAE,IAAI,IAAI,EAAE;KAC7B,CAAA;IACD,IAAI,CAAC;QACH,IAAA,8CAAsC,EAAC,WAAW,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;IAC/E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,MAAM,CAAA;IACf,CAAC;IACD,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;IACpB,MAAM,CAAC,OAAO,GAAG,aAAa,QAAQ,4CAA4C,cAAc,EAAE,CAAA;IAClG,OAAO,MAAM,CAAA;AACf,CAAC,CAAA,CAAA;AAxBY,QAAA,6CAA6C,iDAwBzD;AAEM,MAAM,0BAA0B,GAAG,CACxC,WAAwB,EACxB,IAIC,EACyB,EAAE;;IAC5B,IAAI,UAA2C,CAAA;IAC/C,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,oBAAoB,EAAE,CAAC;QAC/B,UAAU;YACR,IAAI,CAAC,oBAAoB,KAAK,cAAc;gBAC1C,CAAC,CAAC,CAAC,6BAA6B,CAAC,OAAO,CAAC;gBACzC,CAAC,CAAC,CAAC,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IACjE,CAAC;SAAM,IAAI,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,UAAU,EAAE,CAAC;QAC5B,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACnF,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,CAAC,6BAA6B,CAAC,OAAO,EAAE,6BAA6B,CAAC,yBAAyB,CAAC,CAAA;IAC/G,CAAC;IACD,MAAM,WAAW,GAAG,MAAA,MAAA,WAAW,CAAC,UAAU,0CAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,yBAAiB,CAAC,0CAAE,WAAsB,CAAA;IACnH,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAA;IAC9C,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SACtD,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACf,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAmC,CAAA;IACtF,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AA7BY,QAAA,0BAA0B,8BA6BtC"}
package/package.json CHANGED
@@ -1,44 +1,32 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.x509-utils",
3
3
  "description": "Sphereon SSI-SDK plugin functions for X.509 Certificate handling.",
4
- "version": "0.28.1-feature.esm.cjs.8+4c162d1",
5
- "source": "./src/index.ts",
6
- "type": "module",
7
- "main": "./dist/index.cjs",
8
- "module": "./dist/index.js",
9
- "types": "./dist/index.d.ts",
10
- "exports": {
11
- "import": {
12
- "types": "./dist/index.d.ts",
13
- "import": "./dist/index.js"
14
- },
15
- "require": {
16
- "types": "./dist/index.d.cts",
17
- "require": "./dist/index.cjs"
18
- }
19
- },
4
+ "version": "0.28.1-feature.oyd.cmsm.improv.16+a254c6d",
5
+ "source": "src/index.ts",
6
+ "main": "dist/index.js",
7
+ "types": "dist/index.d.ts",
20
8
  "scripts": {
21
- "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
9
+ "build": "tsc --build",
10
+ "build:clean": "tsc --build --clean && tsc --build"
22
11
  },
23
12
  "dependencies": {
24
13
  "@peculiar/asn1-schema": "^2.3.13",
25
14
  "@peculiar/asn1-x509": "^2.3.13",
26
15
  "@peculiar/x509": "^1.12.3",
27
- "@sphereon/ssi-types": "^0.33",
16
+ "@sphereon/ssi-types": "^0.31.0",
28
17
  "@trust/keyto": "^1.0.1",
29
18
  "debug": "^4.3.4",
30
19
  "js-x509-utils": "^1.0.7",
31
20
  "pkijs": "^3.2.4",
32
21
  "tsyringe": "^4.8.0",
33
- "uint8arrays": " 3.1.1"
22
+ "uint8arrays": "^3.1.1"
34
23
  },
35
24
  "devDependencies": {
36
- "@types/node": "20.17.1",
37
- "typescript": "5.8.3"
25
+ "typescript": "^5.5.4"
38
26
  },
39
27
  "files": [
40
- "dist",
41
- "src",
28
+ "dist/**/*",
29
+ "src/**/*",
42
30
  "README.md",
43
31
  "LICENSE"
44
32
  ],
@@ -54,5 +42,5 @@
54
42
  "DID",
55
43
  "Veramo"
56
44
  ],
57
- "gitHead": "4c162d14577f462070adeea3e7ec5a443c324ee7"
45
+ "gitHead": "a254c6d44af6fbb12419b55054f1db5afbe484f0"
58
46
  }
package/src/x509/crypto.ts CHANGED
@@ -1,21 +1,15 @@
1
- import { webcrypto } from 'node:crypto'
2
- export const globalCrypto = (setGlobal: boolean, suppliedCrypto?: webcrypto.Crypto): webcrypto.Crypto => {
3
- let webcrypto: webcrypto.Crypto
1
+ export const globalCrypto = (setGlobal: boolean, suppliedCrypto?: Crypto): Crypto => {
2
+ let webcrypto: Crypto
4
3
  if (typeof suppliedCrypto !== 'undefined') {
5
4
  webcrypto = suppliedCrypto
6
5
  } else if (typeof crypto !== 'undefined') {
7
6
  webcrypto = crypto
8
7
  } else if (typeof global.crypto !== 'undefined') {
9
8
  webcrypto = global.crypto
9
+ } else if (typeof global.window?.crypto?.subtle !== 'undefined') {
10
+ webcrypto = global.window.crypto
10
11
  } else {
11
- // @ts-ignore
12
- if (typeof global.window?.crypto?.subtle !== 'undefined') {
13
- // @ts-ignore
14
- webcrypto = global.window.crypto
15
- } else {
16
- // @ts-ignore
17
- webcrypto = require('crypto') as webcrypto.Crypto
18
- }
12
+ webcrypto = require('crypto') as Crypto
19
13
  }
20
14
  if (setGlobal) {
21
15
  global.crypto = webcrypto
package/src/x509/rsa-key.ts CHANGED
@@ -1,13 +1,8 @@
1
- // @ts-ignore
2
- import { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'
3
-
4
- // @ts-ignore
5
- import { toString } from 'uint8arrays/to-string'
1
+ import * as u8a from 'uint8arrays'
6
2
  import { HashAlgorithm } from '../types'
7
3
  import { globalCrypto } from './crypto'
8
4
 
9
5
  import { derToPEM } from './x509-utils'
10
- import { JsonWebKey } from '@sphereon/ssi-types'
11
6
 
12
7
  export type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'
13
8
 
@@ -83,5 +78,5 @@ export const generateRSAKeyAsPEM = async (
83
78
  const pkcs8 = await globalCrypto(false).subtle.exportKey('pkcs8', keypair.privateKey)
84
79
 
85
80
  const uint8Array = new Uint8Array(pkcs8)
86
- return derToPEM(toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')
81
+ return derToPEM(u8a.toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')
87
82
  }