@super-protocol/sdk-js 3.4.0-beta.15 → 3.4.0-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/cjs/certificates/crl.d.ts +6 -0
  2. package/dist/cjs/certificates/crl.js +66 -0
  3. package/dist/cjs/certificates/helper.d.ts +21 -0
  4. package/dist/cjs/certificates/helper.js +161 -0
  5. package/dist/cjs/certificates/index.d.ts +2 -0
  6. package/dist/cjs/certificates/index.js +19 -0
  7. package/dist/cjs/certificates/ocsp.d.ts +9 -0
  8. package/dist/cjs/certificates/ocsp.js +124 -0
  9. package/dist/cjs/certificates/types.d.ts +4 -0
  10. package/dist/cjs/certificates/types.js +3 -0
  11. package/dist/cjs/constants.d.ts +5 -0
  12. package/dist/cjs/constants.js +7 -2
  13. package/dist/cjs/index.d.ts +1 -0
  14. package/dist/cjs/index.js +2 -1
  15. package/dist/cjs/tee/OrderReportService.d.ts +0 -3
  16. package/dist/cjs/tee/OrderReportService.js +12 -28
  17. package/dist/cjs/tee/TeeCertificateService.d.ts +0 -4
  18. package/dist/cjs/tee/TeeCertificateService.js +23 -34
  19. package/dist/mjs/certificates/crl.d.ts +6 -0
  20. package/dist/mjs/certificates/crl.js +39 -0
  21. package/dist/mjs/certificates/helper.d.ts +21 -0
  22. package/dist/mjs/certificates/helper.js +131 -0
  23. package/dist/mjs/certificates/index.d.ts +2 -0
  24. package/dist/mjs/certificates/index.js +3 -0
  25. package/dist/mjs/certificates/ocsp.d.ts +9 -0
  26. package/dist/mjs/certificates/ocsp.js +94 -0
  27. package/dist/mjs/certificates/types.d.ts +4 -0
  28. package/dist/mjs/certificates/types.js +2 -0
  29. package/dist/mjs/constants.d.ts +5 -0
  30. package/dist/mjs/constants.js +6 -1
  31. package/dist/mjs/index.d.ts +1 -0
  32. package/dist/mjs/index.js +2 -1
  33. package/dist/mjs/tee/OrderReportService.d.ts +0 -3
  34. package/dist/mjs/tee/OrderReportService.js +13 -29
  35. package/dist/mjs/tee/TeeCertificateService.d.ts +0 -4
  36. package/dist/mjs/tee/TeeCertificateService.js +23 -34
  37. package/package.json +2 -2
package/dist/cjs/tee/OrderReportService.js CHANGED
@@ -4,23 +4,22 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
4
4
  };
5
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
6
  exports.OrderReportService = void 0;
7
- const node_forge_1 = __importDefault(require("node-forge"));
8
7
  const util_1 = require("util");
9
8
  const zlib_1 = __importDefault(require("zlib"));
10
9
  const dto_js_1 = require("@super-protocol/dto-js");
11
10
  const OrderReport_js_1 = require("../proto/OrderReport.js");
12
- const TeeCertificateService_js_1 = require("./TeeCertificateService.js");
13
11
  const constants_js_1 = require("../constants.js");
14
12
  const calculateObjectHash_js_1 = require("../utils/helpers/calculateObjectHash.js");
13
+ const helper_js_1 = require("../certificates/helper.js");
14
+ const TeeCertificateService_js_1 = require("./TeeCertificateService.js");
15
15
  const gzipPromise = (0, util_1.promisify)(zlib_1.default.gzip);
16
16
  const unzipPromise = (0, util_1.promisify)(zlib_1.default.unzip);
17
- const rootCertDer = Buffer.from(node_forge_1.default.pki.pemToDer(constants_js_1.SUPERPROTOCOL_CA).bytes(), 'binary');
18
17
  class OrderReportService {
19
- static teeCertificateService = new TeeCertificateService_js_1.TeeCertificateService();
20
18
  static async encode(orderReport) {
21
- const certsDer = this.certsToDerArray(orderReport.certificate);
19
+ const { certs } = helper_js_1.CertificatesHelper.extractCAFromChain(orderReport.certificate);
20
+ const certsDer = helper_js_1.CertificatesHelper.pemChainToDer(certs);
22
21
  const orderReportProto = {
23
- certificates: this.removeRootCertificateFromChain(certsDer),
22
+ certificates: certsDer,
24
23
  workloadInfo: {
25
24
  runtimeInfo: orderReport.workloadInfo.runtimeInfo.map((ri) => ({
26
25
  type: ri.type,
@@ -39,14 +38,7 @@ class OrderReportService {
39
38
  static async decode(encodedOrderReport) {
40
39
  const decompressed = await unzipPromise(encodedOrderReport);
41
40
  const orderReportProto = OrderReport_js_1.OrderReportProto.decode(decompressed);
42
- const certsPem = orderReportProto.certificates.map((derCert) => node_forge_1.default.pem.encode({
43
- contentDomain: null,
44
- dekInfo: null,
45
- headers: [],
46
- procType: null,
47
- type: 'CERTIFICATE',
48
- body: Buffer.from(derCert).toString('binary'),
49
- }));
41
+ const certsPem = helper_js_1.CertificatesHelper.derChainToPem(orderReportProto.certificates);
50
42
  if (!orderReportProto.workloadInfo) {
51
43
  throw new Error(`Wrong order report! Missing workloadInfo`);
52
44
  }
@@ -65,34 +57,26 @@ class OrderReportService {
65
57
  return result;
66
58
  });
67
59
  return {
68
- certificate: certsPem.join('').trim(),
60
+ certificate: certsPem,
69
61
  workloadInfo: {
70
62
  runtimeInfo,
71
63
  created: orderReportProto.workloadInfo.created,
72
64
  },
73
65
  };
74
66
  }
75
- static removeRootCertificateFromChain(certsDer) {
76
- return certsDer.filter((certDer) => !certDer.equals(rootCertDer));
77
- }
78
67
  static async validateOrderReport(orderReport) {
79
- await this.teeCertificateService.validateTeeReportCertChain(orderReport.certificate);
80
- const workloadInfoHashFromCert = this.teeCertificateService.getExtensionValue(orderReport.certificate, constants_js_1.OID_CUSTOM_EXTENSION_ORDER_REPORT_WORKLOAD_INFO_HASH);
68
+ const teeCertificateService = new TeeCertificateService_js_1.TeeCertificateService();
69
+ await teeCertificateService.validateTeeReportCertChain(orderReport.certificate);
70
+ const workloadInfoHashFromCert = helper_js_1.CertificatesHelper.getExtensionValue(orderReport.certificate, constants_js_1.OID_CUSTOM_EXTENSION_ORDER_REPORT_WORKLOAD_INFO_HASH);
81
71
  if (!workloadInfoHashFromCert) {
82
72
  throw new Error(`WorkloadInfoHash is missing in certificate!`);
83
73
  }
84
74
  const workloadInfoHash = await (0, calculateObjectHash_js_1.calculateObjectHash)(orderReport.workloadInfo);
85
- const isHashMatch = Buffer.compare(Buffer.from(workloadInfoHashFromCert, 'binary'), Buffer.from(workloadInfoHash.hash, workloadInfoHash.encoding)) === 0;
75
+ const isHashMatch = Buffer.compare(workloadInfoHashFromCert, Buffer.from(workloadInfoHash.hash, workloadInfoHash.encoding)) === 0;
86
76
  if (!isHashMatch) {
87
77
  throw new Error(`WorkloadInfoHash in the certificate doesn't match the WorkloadInfoHash in the orderReport`);
88
78
  }
89
79
  }
90
- static certsToDerArray(certificate) {
91
- const certs = this.teeCertificateService.splitPemCerts(certificate);
92
- return certs.map((pemCert) => {
93
- return Buffer.from(node_forge_1.default.pki.pemToDer(pemCert).bytes(), 'binary');
94
- });
95
- }
96
80
  static hashToBinary(hash) {
97
81
  if (!hash) {
98
82
  return;
@@ -114,4 +98,4 @@ class OrderReportService {
114
98
  }
115
99
  }
116
100
  exports.OrderReportService = OrderReportService;
117
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiT3JkZXJSZXBvcnRTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9PcmRlclJlcG9ydFNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsNERBQStCO0FBQy9CLCtCQUFpQztBQUNqQyxnREFBd0I7QUFDeEIsbURBT2dDO0FBR2hDLDREQUEyRDtBQUMzRCx5RUFBbUU7QUFDbkUsa0RBR3lCO0FBQ3pCLG9GQUE4RTtBQUU5RSxNQUFNLFdBQVcsR0FBRyxJQUFBLGdCQUFTLEVBQUMsY0FBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0FBQ3pDLE1BQU0sWUFBWSxHQUFHLElBQUEsZ0JBQVMsRUFBQyxjQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7QUFDM0MsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsK0JBQWdCLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxRQUFRLENBQUMsQ0FBQztBQUV4RixNQUFhLGtCQUFrQjtJQUNyQixNQUFNLENBQVUscUJBQXFCLEdBQUcsSUFBSSxnREFBcUIsRUFBRSxDQUFDO0lBRTVFLE1BQU0sQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLFdBQXdCO1FBQzFDLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsV0FBVyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBRS9ELE1BQU0sZ0JBQWdCLEdBQXFCO1lBQ3pDLFlBQVksRUFBRSxJQUFJLENBQUMsOEJBQThCLENBQUMsUUFBUSxDQUFDO1lBQzNELFlBQVksRUFBRTtnQkFDWixXQUFXLEVBQUUsV0FBVyxDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDO29CQUM3RCxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUk7b0JBQ2IsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJO29CQUNiLElBQUksRUFBRSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUM7b0JBQ2hDLGdCQUFnQixFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLGdCQUFnQixDQUFDO29CQUN4RCxRQUFRLEVBQUUsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUMsUUFBUSxDQUFDO2lCQUN6QyxDQUFDLENBQUM7Z0JBQ0gsT0FBTyxFQUFFLFdBQVcsQ0FBQyxZQUFZLENBQUMsT0FBTzthQUMxQztTQUNGLENBQUM7UUFFRixNQUFNLE9BQU8sR0FBRyxpQ0FBZ0IsQ0FBQyxNQUFNLENBQUMsZ0JBQWdCLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNuRSxNQUFNLFVBQVUsR0FBRyxNQUFNLFdBQVcsQ0FBQyxPQUFPLEVBQUUsRUFBRSxLQUFLLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUU1RCxPQUFPLFVBQVUsQ0FBQztJQUNwQixDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsa0JBQTBCO1FBQzVDLE1BQU0sWUFBWSxHQUFHLE1BQU0sWUFBWSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDNUQsTUFBTSxnQkFBZ0IsR0FBRyxpQ0FBZ0IsQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFL0QsTUFBTSxRQUFRLEdBQUcsZ0JBQWdCLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQzdELG9CQUFLLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQztZQUNmLGFBQWEsRUFBRSxJQUFJO1lBQ25CLE9BQU8sRUFBRSxJQUFJO1lBQ2IsT0FBTyxFQUFFLEVBQUU7WUFDWCxRQUFRLEVBQUUsSUFBSTtZQUNkLElBQUksRUFBRSxhQUFhO1lBQ25CLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUM7U0FDOUMsQ0FBQyxDQUNILENBQUM7UUFFRixJQUFJLENBQUMsZ0JBQWdCLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDbkMsTUFBTSxJQUFJLEtBQUssQ0FBQywwQ0FBMEMsQ0FBQyxDQUFDO1FBQzlELENBQUM7UUFFRCxNQUFNLFdBQVcsR0FBa0IsZ0JBQWdCLENBQUMsWUFBWSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRTtZQUMzRixNQUFNLE1BQU0sR0FBZ0I7Z0JBQzFCLElBQUksRUFBRSxPQUFPLENBQUMsSUFBZTtnQkFDN0IsSUFBSSxFQUFFLE9BQU8sQ0FBQyxJQUFJO2dCQUNsQixJQUFJLEVBQUUsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUU7YUFDM0MsQ0FBQztZQUNGLElBQUksT0FBTyxDQUFDLGdCQUFnQixFQUFFLENBQUM7Z0JBQzdCLE1BQU0sQ0FBQyxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDLENBQUM7WUFDNUUsQ0FBQztZQUNELElBQUksT0FBTyxDQUFDLFFBQVEsRUFBRSxDQUFDO2dCQUNyQixNQUFNLENBQUMsUUFBUSxHQUFHLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDNUQsQ0FBQztZQUNELE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUMsQ0FBQyxDQUFDO1FBRUgsT0FBTztZQUNMLFdBQVcsRUFBRSxRQUFRLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksRUFBRTtZQUNyQyxZQUFZLEVBQUU7Z0JBQ1osV0FBVztnQkFDWCxPQUFPLEVBQUUsZ0JBQWdCLENBQUMsWUFBYSxDQUFDLE9BQU87YUFDaEQ7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyw4QkFBOEIsQ0FBQyxRQUFrQjtRQUN0RCxPQUFPLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO0lBQ3BFLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLG1CQUFtQixDQUFDLFdBQXdCO1FBQ3ZELE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLDBCQUEwQixDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUVyRixNQUFNLHdCQUF3QixHQUFHLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxpQkFBaUIsQ0FDM0UsV0FBVyxDQUFDLFdBQVcsRUFDdkIsbUVBQW9ELENBQ3JELENBQUM7UUFDRixJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7UUFDakUsQ0FBQztRQUNELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFBLDRDQUFtQixFQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUU3RSxNQUFNLFdBQVcsR0FDZixNQUFNLENBQUMsT0FBTyxDQUNaLE1BQU0sQ0FBQyxJQUFJLENBQUMsd0JBQXdCLEVBQUUsUUFBUSxDQUFDLEVBQy9DLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxFQUFFLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxDQUM5RCxLQUFLLENBQUMsQ0FBQztRQUNWLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNqQixNQUFNLElBQUksS0FBSyxDQUNiLDJGQUEyRixDQUM1RixDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsZUFBZSxDQUFDLFdBQW1CO1FBQ2hELE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxhQUFhLENBQUMsV0FBVyxDQUFDLENBQUM7UUFFcEUsT0FBTyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUU7WUFDM0IsT0FBTyxNQUFNLENBQUMsSUFBSSxDQUFDLG9CQUFLLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxRQUFRLENBQUMsQ0FBQztRQUNwRSxDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFTyxNQUFNLENBQUMsWUFBWSxDQUFDLElBQVc7UUFDckMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ1YsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPO1lBQ0wsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJO1lBQ2YsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDO1NBQzVDLENBQUM7SUFDSixDQUFDO0lBRU8sTUFBTSxDQUFDLGdCQUFnQixDQUFDLFVBQWtDO1FBQ2hFLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUNoQixPQUFPO1FBQ1QsQ0FBQztRQUVELE9BQU87WUFDTCxJQUFJLEVBQUUsVUFBVSxDQUFDLElBQXFCO1lBQ3RDLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsaUJBQVEsQ0FBQyxHQUFHLENBQUM7WUFDekQsUUFBUSxFQUFFLGlCQUFRLENBQUMsR0FBRztTQUN2QixDQUFDO0lBQ0osQ0FBQzs7QUE5SEgsZ0RBK0hDIn0=
101
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiT3JkZXJSZXBvcnRTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9PcmRlclJlcG9ydFNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsK0JBQWlDO0FBQ2pDLGdEQUF3QjtBQUN4QixtREFPZ0M7QUFHaEMsNERBQTJEO0FBQzNELGtEQUF1RjtBQUN2RixvRkFBOEU7QUFDOUUseURBQStEO0FBQy9ELHlFQUFtRTtBQUVuRSxNQUFNLFdBQVcsR0FBRyxJQUFBLGdCQUFTLEVBQUMsY0FBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0FBQ3pDLE1BQU0sWUFBWSxHQUFHLElBQUEsZ0JBQVMsRUFBQyxjQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7QUFFM0MsTUFBYSxrQkFBa0I7SUFDN0IsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsV0FBd0I7UUFDMUMsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLDhCQUFrQixDQUFDLGtCQUFrQixDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUNqRixNQUFNLFFBQVEsR0FBRyw4QkFBa0IsQ0FBQyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFekQsTUFBTSxnQkFBZ0IsR0FBcUI7WUFDekMsWUFBWSxFQUFFLFFBQVE7WUFDdEIsWUFBWSxFQUFFO2dCQUNaLFdBQVcsRUFBRSxXQUFXLENBQUMsWUFBWSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7b0JBQzdELElBQUksRUFBRSxFQUFFLENBQUMsSUFBSTtvQkFDYixJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUk7b0JBQ2IsSUFBSSxFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQztvQkFDaEMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUMsZ0JBQWdCLENBQUM7b0JBQ3hELFFBQVEsRUFBRSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxRQUFRLENBQUM7aUJBQ3pDLENBQUMsQ0FBQztnQkFDSCxPQUFPLEVBQUUsV0FBVyxDQUFDLFlBQVksQ0FBQyxPQUFPO2FBQzFDO1NBQ0YsQ0FBQztRQUVGLE1BQU0sT0FBTyxHQUFHLGlDQUFnQixDQUFDLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ25FLE1BQU0sVUFBVSxHQUFHLE1BQU0sV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLEtBQUssRUFBRSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBRTVELE9BQU8sVUFBVSxDQUFDO0lBQ3BCLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxrQkFBMEI7UUFDNUMsTUFBTSxZQUFZLEdBQUcsTUFBTSxZQUFZLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUM1RCxNQUFNLGdCQUFnQixHQUFHLGlDQUFnQixDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUUvRCxNQUFNLFFBQVEsR0FBRyw4QkFBa0IsQ0FBQyxhQUFhLENBQUMsZ0JBQWdCLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFakYsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ25DLE1BQU0sSUFBSSxLQUFLLENBQUMsMENBQTBDLENBQUMsQ0FBQztRQUM5RCxDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQWtCLGdCQUFnQixDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUU7WUFDM0YsTUFBTSxNQUFNLEdBQWdCO2dCQUMxQixJQUFJLEVBQUUsT0FBTyxDQUFDLElBQWU7Z0JBQzdCLElBQUksRUFBRSxPQUFPLENBQUMsSUFBSTtnQkFDbEIsSUFBSSxFQUFFLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFFO2FBQzNDLENBQUM7WUFDRixJQUFJLE9BQU8sQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO2dCQUM3QixNQUFNLENBQUMsZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1lBQzVFLENBQUM7WUFDRCxJQUFJLE9BQU8sQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFDckIsTUFBTSxDQUFDLFFBQVEsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQzVELENBQUM7WUFDRCxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDLENBQUMsQ0FBQztRQUVILE9BQU87WUFDTCxXQUFXLEVBQUUsUUFBUTtZQUNyQixZQUFZLEVBQUU7Z0JBQ1osV0FBVztnQkFDWCxPQUFPLEVBQUUsZ0JBQWdCLENBQUMsWUFBYSxDQUFDLE9BQU87YUFDaEQ7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsbUJBQW1CLENBQUMsV0FBd0I7UUFDdkQsTUFBTSxxQkFBcUIsR0FBRyxJQUFJLGdEQUFxQixFQUFFLENBQUM7UUFDMUQsTUFBTSxxQkFBcUIsQ0FBQywwQkFBMEIsQ0FBQyxXQUFXLENBQUMsV0FBVyxDQUFDLENBQUM7UUFFaEYsTUFBTSx3QkFBd0IsR0FBRyw4QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDbkUsV0FBVyxDQUFDLFdBQVcsRUFDdkIsbUVBQW9ELENBQ3JELENBQUM7UUFDRixJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7UUFDakUsQ0FBQztRQUNELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFBLDRDQUFtQixFQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUU3RSxNQUFNLFdBQVcsR0FDZixNQUFNLENBQUMsT0FBTyxDQUNaLHdCQUF3QixFQUN4QixNQUFNLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksRUFBRSxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsQ0FDOUQsS0FBSyxDQUFDLENBQUM7UUFDVixJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDakIsTUFBTSxJQUFJLEtBQUssQ0FDYiwyRkFBMkYsQ0FDNUYsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLFlBQVksQ0FBQyxJQUFXO1FBQ3JDLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNWLE9BQU87UUFDVCxDQUFDO1FBRUQsT0FBTztZQUNMLElBQUksRUFBRSxJQUFJLENBQUMsSUFBSTtZQUNmLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQztTQUM1QyxDQUFDO0lBQ0osQ0FBQztJQUVPLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxVQUFrQztRQUNoRSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDaEIsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPO1lBQ0wsSUFBSSxFQUFFLFVBQVUsQ0FBQyxJQUFxQjtZQUN0QyxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLGlCQUFRLENBQUMsR0FBRyxDQUFDO1lBQ3pELFFBQVEsRUFBRSxpQkFBUSxDQUFDLEdBQUc7U0FDdkIsQ0FBQztJQUNKLENBQUM7Q0FDRjtBQTFHRCxnREEwR0MifQ==
package/dist/cjs/tee/TeeCertificateService.d.ts CHANGED
@@ -9,10 +9,6 @@ export declare class TeeCertificateService {
9
9
  private readonly certOidQuote;
10
10
  private getCertificatePublicKey;
11
11
  parseAndValidateCertificate(certificatePem: string | Buffer, sgxApiUrl: string): Promise<ParseTlsCertificateResult>;
12
- fromRawToPem(data: Uint8Array): string;
13
- splitPemCerts(certs: string): string[];
14
- validateCertChain(certsPem: string, caPem: string): boolean;
15
- getExtensionValue(certPem: string, oid: string): string | undefined;
16
12
  validateTeeReportCertChain(certsPem: string): Promise<void>;
17
13
  private validateChallengeSgx;
18
14
  private validateChallengeTdxAndSnp;
package/dist/cjs/tee/TeeCertificateService.js CHANGED
@@ -5,12 +5,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
5
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
6
  exports.TeeCertificateService = void 0;
7
7
  const node_forge_1 = __importDefault(require("node-forge"));
8
+ const crypto_1 = require("crypto");
8
9
  const QuoteParser_js_1 = require("./QuoteParser.js");
9
10
  const QuoteValidator_js_1 = require("./QuoteValidator.js");
10
11
  const constants_js_1 = require("../constants.js");
11
12
  const pki_common_1 = require("@super-protocol/pki-common");
12
13
  const TeeSignatureVerifier_js_1 = require("./TeeSignatureVerifier.js");
13
14
  const errors_js_1 = require("./errors.js");
15
+ const index_js_1 = require("../certificates/index.js");
14
16
  class TeeCertificateService {
15
17
  certOidQuote = '0.6.9.42.840.113741.1337.6';
16
18
  getCertificatePublicKey(certificate) {
@@ -37,36 +39,23 @@ class TeeCertificateService {
37
39
  dataHash: Buffer.from(report.dataHash),
38
40
  };
39
41
  }
40
- fromRawToPem(data) {
41
- const base64 = Buffer.from(data).toString('base64');
42
- return `-----BEGIN CERTIFICATE-----\n${base64.match(/.{1,64}/g).join('\n')}\n-----END CERTIFICATE-----`;
43
- }
44
- splitPemCerts(certs) {
45
- const pemRegex = /(-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----)/g;
46
- return certs.match(pemRegex) || [];
47
- }
48
- validateCertChain(certsPem, caPem) {
49
- const certs = this.splitPemCerts(certsPem).map((cert) => node_forge_1.default.pki.certificateFromPem(cert));
50
- const ca = node_forge_1.default.pki.certificateFromPem(caPem);
51
- try {
52
- return node_forge_1.default.pki.verifyCertificateChain(node_forge_1.default.pki.createCaStore([ca]), certs);
53
- }
54
- catch (err) {
55
- return false;
56
- }
57
- }
58
- getExtensionValue(certPem, oid) {
59
- const cert = node_forge_1.default.pki.certificateFromPem(certPem);
60
- const extension = cert.extensions.find((ext) => ext.id === oid);
61
- return extension?.value;
62
- }
63
42
  async validateTeeReportCertChain(certsPem) {
64
- const isCertChainValid = this.validateCertChain(certsPem, constants_js_1.SUPERPROTOCOL_CA);
65
- if (!isCertChainValid) {
66
- throw new Error(`Cert chain is invalid!`);
43
+ const { success, errorMessage } = await index_js_1.CertificatesHelper.validateCertChain(certsPem, constants_js_1.SUPERPROTOCOL_CA);
44
+ if (!success) {
45
+ throw new Error(`Cert chain is invalid! (${errorMessage})`);
46
+ }
47
+ const challenges = index_js_1.CertificatesHelper.splitPemCerts(certsPem)
48
+ .filter((cert) => {
49
+ const x509 = new crypto_1.X509Certificate(cert);
50
+ // Root certificate doesn't have challenge
51
+ return x509.issuer !== x509.subject;
52
+ })
53
+ .map((cert) => index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_TYPE)?.toString('binary'));
54
+ if (challenges.some((challenge) => !challenge || challenge === pki_common_1.ChallengeType.Untrusted)) {
55
+ throw new Error(`Cert chain has cert without or Untrusted challenge`);
67
56
  }
68
- const challengeType = this.getExtensionValue(certsPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_TYPE);
69
- switch (challengeType) {
57
+ const leafCertChallengeType = challenges[0];
58
+ switch (leafCertChallengeType) {
70
59
  case pki_common_1.ChallengeType.SGXDCAP:
71
60
  this.validateChallengeSgx(certsPem);
72
61
  break;
@@ -75,28 +64,28 @@ class TeeCertificateService {
75
64
  await this.validateChallengeTdxAndSnp(certsPem);
76
65
  break;
77
66
  default:
78
- throw new Error(`Challenge type ${challengeType || `[none]`} is missing or not allowed!`);
67
+ throw new Error(`Challenge type ${leafCertChallengeType || `[none]`} is missing or not allowed!`);
79
68
  }
80
69
  }
81
70
  validateChallengeSgx(certPem) {
82
- const mrSignerBinaryString = this.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
71
+ const mrSignerBinaryString = index_js_1.CertificatesHelper.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
83
72
  if (!mrSignerBinaryString) {
84
73
  throw new Error(`SGX challenge signature is wrong!`);
85
74
  }
86
75
  try {
87
- TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignatureSgx(Buffer.from(mrSignerBinaryString, 'binary'));
76
+ TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignatureSgx(mrSignerBinaryString);
88
77
  }
89
78
  catch (err) {
90
79
  throw new Error(`SGX challenge signature is wrong!`);
91
80
  }
92
81
  }
93
82
  async validateChallengeTdxAndSnp(certPem) {
94
- const mrEnclaveBinaryString = this.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID);
83
+ const mrEnclaveBinaryString = index_js_1.CertificatesHelper.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID);
95
84
  if (!mrEnclaveBinaryString) {
96
85
  throw new Error(`Challenge id is missing in certificate!`);
97
86
  }
98
87
  try {
99
- await TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignatureTdxAndSnp(Buffer.from(mrEnclaveBinaryString, 'binary'));
88
+ await TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignatureTdxAndSnp(mrEnclaveBinaryString);
100
89
  }
101
90
  catch (err) {
102
91
  const message = `Tdx signature is invalid!`;
@@ -108,4 +97,4 @@ class TeeCertificateService {
108
97
  }
109
98
  }
110
99
  exports.TeeCertificateService = TeeCertificateService;
111
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsNERBQStCO0FBQy9CLHFEQUFnRDtBQUNoRCwyREFBcUQ7QUFDckQsa0RBQW1EO0FBQ25ELDJEQUtvQztBQUNwQyx1RUFBaUU7QUFDakUsMkNBQW9EO0FBU3BELE1BQWEscUJBQXFCO0lBQ2YsWUFBWSxHQUFHLDRCQUE0QixDQUFDO0lBRXJELHVCQUF1QixDQUFDLFdBQWtDO1FBQ2hFLE1BQU0sWUFBWSxHQUFHLG9CQUFLLENBQUMsSUFBSTthQUM1QixLQUFLLENBQUMsb0JBQUssQ0FBQyxHQUFHLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQyxTQUFTLENBQUMsQ0FBQzthQUN2RCxRQUFRLEVBQUUsQ0FBQztRQUVkLE9BQU8sTUFBTSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDN0MsQ0FBQztJQUVELEtBQUssQ0FBQywyQkFBMkIsQ0FDL0IsY0FBK0IsRUFDL0IsU0FBaUI7UUFFakIsTUFBTSxHQUFHLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUMsY0FBYyxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUMsQ0FBQyxjQUFjLENBQUM7UUFDekYsTUFBTSxXQUFXLEdBQUcsb0JBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDdEQsTUFBTSxVQUFVLEdBQUcsV0FBVyxDQUFDLFVBQVUsQ0FBQztRQUUxQyxNQUFNLEtBQUssR0FBRyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRSxLQUFLLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUNyRSxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQUUsUUFBUSxDQUFDLENBQUM7UUFDdkQsTUFBTSxTQUFTLEdBQUcsSUFBSSxrQ0FBYyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ2hELE1BQU0sU0FBUyxDQUFDLFVBQVUsQ0FBQyxXQUFXLEVBQUUsSUFBSSxDQUFDLHVCQUF1QixDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7UUFFbkYsTUFBTSxNQUFNLEdBQUcsSUFBSSw2QkFBWSxFQUFFLENBQUM7UUFDbEMsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLFVBQVUsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUNuRCxNQUFNLE1BQU0sR0FBRyxNQUFNLENBQUMsV0FBVyxDQUFDLFdBQVcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUV0RCxPQUFPO1lBQ0wsUUFBUSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUM7WUFDbEQsU0FBUyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQztZQUN4QyxRQUFRLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDO1lBQ3RDLFFBQVEsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUM7U0FDdkMsQ0FBQztJQUNKLENBQUM7SUFFRCxZQUFZLENBQUMsSUFBZ0I7UUFDM0IsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDcEQsT0FBTyxnQ0FBZ0MsTUFBTSxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQUUsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLDZCQUE2QixDQUFDO0lBQzNHLENBQUM7SUFFRCxhQUFhLENBQUMsS0FBYTtRQUN6QixNQUFNLFFBQVEsR0FBRyxpRUFBaUUsQ0FBQztRQUNuRixPQUFPLEtBQUssQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxpQkFBaUIsQ0FBQyxRQUFnQixFQUFFLEtBQWE7UUFDL0MsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLG9CQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7UUFDN0YsTUFBTSxFQUFFLEdBQUcsb0JBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFL0MsSUFBSSxDQUFDO1lBQ0gsT0FBTyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxzQkFBc0IsQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxhQUFhLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ2hGLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELGlCQUFpQixDQUFDLE9BQWUsRUFBRSxHQUFXO1FBQzVDLE1BQU0sSUFBSSxHQUFHLG9CQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ25ELE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsQ0FBQyxDQUFDO1FBQ2hFLE9BQU8sU0FBUyxFQUFFLEtBQUssQ0FBQztJQUMxQixDQUFDO0lBRUQsS0FBSyxDQUFDLDBCQUEwQixDQUFDLFFBQWdCO1FBQy9DLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFFBQVEsRUFBRSwrQkFBZ0IsQ0FBQyxDQUFDO1FBQzVFLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ3RCLE1BQU0sSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztRQUM1QyxDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFFBQVEsRUFBRSxnREFBbUMsQ0FBQyxDQUFDO1FBRTVGLFFBQVEsYUFBYSxFQUFFLENBQUM7WUFDdEIsS0FBSywwQkFBYSxDQUFDLE9BQU87Z0JBQ3hCLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztnQkFDcEMsTUFBTTtZQUNSLEtBQUssMEJBQWEsQ0FBQyxHQUFHLENBQUM7WUFDdkIsS0FBSywwQkFBYSxDQUFDLE1BQU07Z0JBQ3ZCLE1BQU0sSUFBSSxDQUFDLDBCQUEwQixDQUFDLFFBQVEsQ0FBQyxDQUFDO2dCQUNoRCxNQUFNO1lBRVI7Z0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQkFBa0IsYUFBYSxJQUFJLFFBQVEsNkJBQTZCLENBQUMsQ0FBQztRQUM5RixDQUFDO0lBQ0gsQ0FBQztJQUVPLG9CQUFvQixDQUFDLE9BQWU7UUFDMUMsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQ2pELE9BQU8sRUFDUCxxREFBd0MsQ0FDekMsQ0FBQztRQUNGLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1lBQzFCLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUMsQ0FBQztRQUN2RCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsOENBQW9CLENBQUMsb0JBQW9CLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxRQUFRLENBQUMsQ0FBQyxDQUFDO1FBQ3pGLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7SUFDSCxDQUFDO0lBRU8sS0FBSyxDQUFDLDBCQUEwQixDQUFDLE9BQWU7UUFDdEQsTUFBTSxxQkFBcUIsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQ2xELE9BQU8sRUFDUCw4Q0FBaUMsQ0FDbEMsQ0FBQztRQUNGLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1lBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMseUNBQXlDLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsTUFBTSw4Q0FBb0IsQ0FBQywwQkFBMEIsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLHFCQUFxQixFQUFFLFFBQVEsQ0FBQyxDQUFDLENBQUM7UUFDdEcsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLE9BQU8sR0FBRywyQkFBMkIsQ0FBQztZQUM1QyxJQUFJLEdBQUcsWUFBWSxpQ0FBcUIsRUFBRSxDQUFDO2dCQUN6QyxNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQy9DLENBQUM7WUFDRCxNQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzNCLENBQUM7SUFDSCxDQUFDO0NBQ0Y7QUF4SEQsc0RBd0hDIn0=
100
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsNERBQStCO0FBQy9CLG1DQUF5QztBQUN6QyxxREFBZ0Q7QUFDaEQsMkRBQXFEO0FBQ3JELGtEQUFtRDtBQUNuRCwyREFLb0M7QUFDcEMsdUVBQWlFO0FBQ2pFLDJDQUFvRDtBQUNwRCx1REFBOEQ7QUFTOUQsTUFBYSxxQkFBcUI7SUFDZixZQUFZLEdBQUcsNEJBQTRCLENBQUM7SUFFckQsdUJBQXVCLENBQUMsV0FBa0M7UUFDaEUsTUFBTSxZQUFZLEdBQUcsb0JBQUssQ0FBQyxJQUFJO2FBQzVCLEtBQUssQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxlQUFlLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQyxDQUFDO2FBQ3ZELFFBQVEsRUFBRSxDQUFDO1FBRWQsT0FBTyxNQUFNLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxRQUFRLENBQUMsQ0FBQztJQUM3QyxDQUFDO0lBRUQsS0FBSyxDQUFDLDJCQUEyQixDQUMvQixjQUErQixFQUMvQixTQUFpQjtRQUVqQixNQUFNLEdBQUcsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxjQUFjLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQyxDQUFDLGNBQWMsQ0FBQztRQUN6RixNQUFNLFdBQVcsR0FBRyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUN0RCxNQUFNLFVBQVUsR0FBRyxXQUFXLENBQUMsVUFBVSxDQUFDO1FBRTFDLE1BQU0sS0FBSyxHQUFHLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxFQUFFLEtBQUssSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssRUFBRSxRQUFRLENBQUMsQ0FBQztRQUN2RCxNQUFNLFNBQVMsR0FBRyxJQUFJLGtDQUFjLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDaEQsTUFBTSxTQUFTLENBQUMsVUFBVSxDQUFDLFdBQVcsRUFBRSxJQUFJLENBQUMsdUJBQXVCLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQztRQUVuRixNQUFNLE1BQU0sR0FBRyxJQUFJLDZCQUFZLEVBQUUsQ0FBQztRQUNsQyxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ25ELE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxXQUFXLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRXRELE9BQU87WUFDTCxRQUFRLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQztZQUNsRCxTQUFTLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDO1lBQ3hDLFFBQVEsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUM7WUFDdEMsUUFBUSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQztTQUN2QyxDQUFDO0lBQ0osQ0FBQztJQUVELEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxRQUFnQjtRQUMvQyxNQUFNLEVBQUUsT0FBTyxFQUFFLFlBQVksRUFBRSxHQUFHLE1BQU0sNkJBQWtCLENBQUMsaUJBQWlCLENBQzFFLFFBQVEsRUFDUiwrQkFBZ0IsQ0FDakIsQ0FBQztRQUNGLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMsMkJBQTJCLFlBQVksR0FBRyxDQUFDLENBQUM7UUFDOUQsQ0FBQztRQUVELE1BQU0sVUFBVSxHQUFHLDZCQUFrQixDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUM7YUFDMUQsTUFBTSxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUU7WUFDZixNQUFNLElBQUksR0FBRyxJQUFJLHdCQUFlLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDdkMsMENBQTBDO1lBQzFDLE9BQU8sSUFBSSxDQUFDLE1BQU0sS0FBSyxJQUFJLENBQUMsT0FBTyxDQUFDO1FBQ3RDLENBQUMsQ0FBQzthQUNELEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQ1osNkJBQWtCLENBQUMsaUJBQWlCLENBQUMsSUFBSSxFQUFFLGdEQUFtQyxDQUFDLEVBQUUsUUFBUSxDQUN2RixRQUFRLENBQ1QsQ0FDRixDQUFDO1FBQ0osSUFBSSxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQyxDQUFDLFNBQVMsSUFBSSxTQUFTLEtBQUssMEJBQWEsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO1lBQ3hGLE1BQU0sSUFBSSxLQUFLLENBQUMsb0RBQW9ELENBQUMsQ0FBQztRQUN4RSxDQUFDO1FBRUQsTUFBTSxxQkFBcUIsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFNUMsUUFBUSxxQkFBcUIsRUFBRSxDQUFDO1lBQzlCLEtBQUssMEJBQWEsQ0FBQyxPQUFPO2dCQUN4QixJQUFJLENBQUMsb0JBQW9CLENBQUMsUUFBUSxDQUFDLENBQUM7Z0JBQ3BDLE1BQU07WUFDUixLQUFLLDBCQUFhLENBQUMsR0FBRyxDQUFDO1lBQ3ZCLEtBQUssMEJBQWEsQ0FBQyxNQUFNO2dCQUN2QixNQUFNLElBQUksQ0FBQywwQkFBMEIsQ0FBQyxRQUFRLENBQUMsQ0FBQztnQkFDaEQsTUFBTTtZQUVSO2dCQUNFLE1BQU0sSUFBSSxLQUFLLENBQ2Isa0JBQWtCLHFCQUFxQixJQUFJLFFBQVEsNkJBQTZCLENBQ2pGLENBQUM7UUFDTixDQUFDO0lBQ0gsQ0FBQztJQUVPLG9CQUFvQixDQUFDLE9BQWU7UUFDMUMsTUFBTSxvQkFBb0IsR0FBRyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDL0QsT0FBTyxFQUNQLHFEQUF3QyxDQUN6QyxDQUFDO1FBQ0YsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDMUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCw4Q0FBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7SUFDSCxDQUFDO0lBRU8sS0FBSyxDQUFDLDBCQUEwQixDQUFDLE9BQWU7UUFDdEQsTUFBTSxxQkFBcUIsR0FBRyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDaEUsT0FBTyxFQUNQLDhDQUFpQyxDQUNsQyxDQUFDO1FBQ0YsSUFBSSxDQUFDLHFCQUFxQixFQUFFLENBQUM7WUFDM0IsTUFBTSxJQUFJLEtBQUssQ0FBQyx5Q0FBeUMsQ0FBQyxDQUFDO1FBQzdELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCxNQUFNLDhDQUFvQixDQUFDLDBCQUEwQixDQUFDLHFCQUFxQixDQUFDLENBQUM7UUFDL0UsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLE9BQU8sR0FBRywyQkFBMkIsQ0FBQztZQUM1QyxJQUFJLEdBQUcsWUFBWSxpQ0FBcUIsRUFBRSxDQUFDO2dCQUN6QyxNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQy9DLENBQUM7WUFDRCxNQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzNCLENBQUM7SUFDSCxDQUFDO0NBQ0Y7QUFqSEQsc0RBaUhDIn0=
package/dist/mjs/certificates/crl.d.ts ADDED
@@ -0,0 +1,6 @@
1
+ import * as pkijs from 'pkijs';
2
+ export declare class CRLHelper {
3
+ static getCRLFromCerts(certs: pkijs.Certificate[]): Promise<pkijs.CertificateRevocationList[]>;
4
+ private static getCRLRequestData;
5
+ private static getCRLResponse;
6
+ }
package/dist/mjs/certificates/crl.js ADDED
@@ -0,0 +1,39 @@
1
+ import * as pkijs from 'pkijs';
2
+ import { CertificatesHelper } from './helper.js';
3
+ import { OID_CRL_DISTRIBUTION_POINTS } from '../constants.js';
4
+ import { helpers } from '../index.js';
5
+ export class CRLHelper {
6
+ static async getCRLFromCerts(certs) {
7
+ const crlRequestsData = certs.map(this.getCRLRequestData).filter(Boolean);
8
+ if (!crlRequestsData.length) {
9
+ return [];
10
+ }
11
+ const crlResponseResults = await Promise.allSettled(crlRequestsData.map((reqData) => this.getCRLResponse(reqData)));
12
+ const rejectedCRLResponses = crlResponseResults
13
+ .filter(helpers.isRejected)
14
+ .map((result) => result.reason);
15
+ if (rejectedCRLResponses.length) {
16
+ throw new Error(`Can't get CRL responses for some certificates (reasons=${rejectedCRLResponses.join(';\n')})`);
17
+ }
18
+ return crlResponseResults.filter(helpers.isFulfilled).map((result) => result.value);
19
+ }
20
+ static getCRLRequestData(cert) {
21
+ const authorityExtension = CertificatesHelper.getExtensionValue(cert, OID_CRL_DISTRIBUTION_POINTS);
22
+ if (!authorityExtension) {
23
+ return;
24
+ }
25
+ const extensionValue = pkijs.ExtensionValueFactory.fromBER(OID_CRL_DISTRIBUTION_POINTS, authorityExtension);
26
+ const findType6DistributionPointExtension = (entry) => entry.type === 6;
27
+ const crlUrlDistributionPoints = extensionValue?.distributionPoints.find((point) => point.distributionPoint?.some(findType6DistributionPointExtension));
28
+ const crlUrl = crlUrlDistributionPoints?.distributionPoint?.find(findType6DistributionPointExtension)?.value;
29
+ if (!crlUrl) {
30
+ return;
31
+ }
32
+ return { crlUrl };
33
+ }
34
+ static async getCRLResponse(data) {
35
+ const response = await CertificatesHelper.downloadCertWithCache(data.crlUrl);
36
+ return pkijs.CertificateRevocationList.fromBER(response);
37
+ }
38
+ }
39
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3JsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9jcmwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxLQUFLLEtBQUssTUFBTSxPQUFPLENBQUM7QUFDL0IsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBQ2pELE9BQU8sRUFBRSwyQkFBMkIsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQzlELE9BQU8sRUFBRSxPQUFPLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFJdEMsTUFBTSxPQUFPLFNBQVM7SUFDcEIsTUFBTSxDQUFDLEtBQUssQ0FBQyxlQUFlLENBQzFCLEtBQTBCO1FBRTFCLE1BQU0sZUFBZSxHQUFHLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGlCQUFpQixDQUFDLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBcUIsQ0FBQztRQUM5RixJQUFJLENBQUMsZUFBZSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQzVCLE9BQU8sRUFBRSxDQUFDO1FBQ1osQ0FBQztRQUVELE1BQU0sa0JBQWtCLEdBQUcsTUFBTSxPQUFPLENBQUMsVUFBVSxDQUNqRCxlQUFlLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsY0FBYyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQy9ELENBQUM7UUFFRixNQUFNLG9CQUFvQixHQUFHLGtCQUFrQjthQUM1QyxNQUFNLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQzthQUMxQixHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNsQyxJQUFJLG9CQUFvQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2hDLE1BQU0sSUFBSSxLQUFLLENBQ2IsMERBQTBELG9CQUFvQixDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUM5RixDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sa0JBQWtCLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN0RixDQUFDO0lBRU8sTUFBTSxDQUFDLGlCQUFpQixDQUFDLElBQXVCO1FBQ3RELE1BQU0sa0JBQWtCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQzdELElBQUksRUFDSiwyQkFBMkIsQ0FDNUIsQ0FBQztRQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQ3hCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsS0FBSyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDeEQsMkJBQTJCLEVBQzNCLGtCQUFrQixDQUNZLENBQUM7UUFFakMsTUFBTSxtQ0FBbUMsR0FBRyxDQUFDLEtBQXdCLEVBQVcsRUFBRSxDQUNoRixLQUFLLENBQUMsSUFBSSxLQUFLLENBQUMsQ0FBQztRQUVuQixNQUFNLHdCQUF3QixHQUFHLGNBQWMsRUFBRSxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUNoRixLQUFLLENBQUMsaUJBQXFELEVBQUUsSUFBSSxDQUNoRSxtQ0FBbUMsQ0FDcEMsQ0FDRixDQUFDO1FBQ0YsTUFBTSxNQUFNLEdBQ1Ysd0JBQXdCLEVBQUUsaUJBQzNCLEVBQUUsSUFBSSxDQUFDLG1DQUFtQyxDQUFDLEVBQUUsS0FBSyxDQUFDO1FBQ3BELElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNaLE9BQU87UUFDVCxDQUFDO1FBRUQsT0FBTyxFQUFFLE1BQU0sRUFBRSxDQUFDO0lBQ3BCLENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLGNBQWMsQ0FDakMsSUFBb0I7UUFFcEIsTUFBTSxRQUFRLEdBQUcsTUFBTSxrQkFBa0IsQ0FBQyxxQkFBcUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0UsT0FBTyxLQUFLLENBQUMseUJBQXlCLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBQzNELENBQUM7Q0FDRiJ9
package/dist/mjs/certificates/helper.d.ts ADDED
@@ -0,0 +1,21 @@
1
+ /// <reference types="node" />
2
+ import * as pkijs from 'pkijs';
3
+ import { ValidateCertChainResult } from './types.js';
4
+ export declare class CertificatesHelper {
5
+ private static downloadedCertificateCache;
6
+ static derToPem(data: ArrayBuffer): string;
7
+ static pemToDer(certPem: string): Uint8Array;
8
+ static splitPemCerts(certs: string): string[];
9
+ static getDomain(certPem: string): string | undefined;
10
+ static getExtensionValue(certParam: string | pkijs.Certificate, oid: string): Buffer | undefined;
11
+ static extractCAFromChain(certsPem: string): {
12
+ certs: string;
13
+ ca: string;
14
+ };
15
+ static pemChainToDer(certsPem: string): Uint8Array[];
16
+ static derChainToPem(certsDer: Uint8Array[]): string;
17
+ static downloadCertWithCache(url: string): Promise<Buffer>;
18
+ static validateCertChain(certsPem: string | string[], caPem: string | string[], options?: {
19
+ offline?: boolean;
20
+ }): Promise<ValidateCertChainResult>;
21
+ }
package/dist/mjs/certificates/helper.js ADDED
@@ -0,0 +1,131 @@
1
+ import { X509Certificate } from 'crypto';
2
+ import _ from 'lodash';
3
+ import axios from 'axios';
4
+ import forge from 'node-forge';
5
+ import * as pkijs from 'pkijs';
6
+ import { createMemoryCache } from '../utils/cache/memory.js';
7
+ import { OCSPHelper } from './ocsp.js';
8
+ import { CRLHelper } from './crl.js';
9
+ //pkijs initCryptoEngine method doesn't work properly in nodejs
10
+ //https://github.com/PeculiarVentures/PKI.js/blob/91c596be220c5010b38415a68bd100942dfd321e/src/CryptoEngine/CryptoEngineInit.ts#L4
11
+ try {
12
+ pkijs.getEngine();
13
+ }
14
+ catch (err) {
15
+ if (err.message === `Please call 'setEngine' before call to 'getEngine'`) {
16
+ pkijs.setEngine('Node', new pkijs.CryptoEngine({ name: 'Node', crypto: require('crypto').webcrypto }));
17
+ }
18
+ }
19
+ export class CertificatesHelper {
20
+ static downloadedCertificateCache = createMemoryCache();
21
+ static derToPem(data) {
22
+ return forge.pem.encode({
23
+ contentDomain: null,
24
+ dekInfo: null,
25
+ headers: [],
26
+ procType: null,
27
+ type: 'CERTIFICATE',
28
+ body: Buffer.from(data).toString('binary'),
29
+ });
30
+ }
31
+ static pemToDer(certPem) {
32
+ return Buffer.from(forge.pki.pemToDer(certPem).bytes(), 'binary');
33
+ }
34
+ static splitPemCerts(certs) {
35
+ const pemRegex = /(-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----)/g;
36
+ return certs.match(pemRegex) || [];
37
+ }
38
+ static getDomain(certPem) {
39
+ const cert = forge.pki.certificateFromPem(certPem);
40
+ return cert.subject.attributes.find((attribute) => attribute.name === 'commonName')
41
+ ?.value;
42
+ }
43
+ static getExtensionValue(certParam, oid) {
44
+ const cert = typeof certParam === 'string'
45
+ ? pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certParam))
46
+ : certParam;
47
+ const extension = cert.extensions?.find((ext) => ext.extnID === oid);
48
+ return extension && Buffer.from(extension.extnValue.valueBlock.toBER());
49
+ }
50
+ static extractCAFromChain(certsPem) {
51
+ const certs = CertificatesHelper.splitPemCerts(certsPem);
52
+ const splittedCerts = _.partition(certs, (cert) => {
53
+ const x509 = new X509Certificate(cert);
54
+ return x509.issuer !== x509.subject;
55
+ });
56
+ return {
57
+ certs: splittedCerts[0].join('\n'),
58
+ ca: splittedCerts[1].join('\n'),
59
+ };
60
+ }
61
+ static pemChainToDer(certsPem) {
62
+ const certs = CertificatesHelper.splitPemCerts(certsPem);
63
+ return certs.map((certPem) => CertificatesHelper.pemToDer(certPem));
64
+ }
65
+ static derChainToPem(certsDer) {
66
+ return certsDer.map(CertificatesHelper.derToPem).join('').trim();
67
+ }
68
+ static async downloadCertWithCache(url) {
69
+ const responseData = await CertificatesHelper.downloadedCertificateCache.wrap(url, async () => {
70
+ const response = await axios(url, {
71
+ responseType: 'arraybuffer',
72
+ });
73
+ return response?.data;
74
+ }, {
75
+ ttl: 5 * 60 * 1000, //5 min
76
+ });
77
+ return responseData;
78
+ }
79
+ static async validateCertChain(certsPem, caPem, options = {}) {
80
+ const { offline } = options;
81
+ const toPkiCerts = (certs) => {
82
+ const certsArray = Array.isArray(certs) ? certs : CertificatesHelper.splitPemCerts(certs);
83
+ return certsArray.map((certPem) => pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certPem)));
84
+ };
85
+ const certs = toPkiCerts(certsPem);
86
+ // pkijs is cert order-sensitive. Bug or feature?
87
+ certs.sort((first, second) => {
88
+ if (first.subject.isEqual(second.issuer)) {
89
+ return -1;
90
+ }
91
+ else if (first.issuer.isEqual(second.subject)) {
92
+ return 1;
93
+ }
94
+ else {
95
+ return 0;
96
+ }
97
+ });
98
+ const ca = toPkiCerts(caPem);
99
+ try {
100
+ const crls = offline ? [] : await CRLHelper.getCRLFromCerts(certs);
101
+ const ocspBaseResponses = offline ? [] : await OCSPHelper.getOCSPResponseFromCerts(certs, ca);
102
+ const chainEngine = new pkijs.CertificateChainValidationEngine({
103
+ certs,
104
+ trustedCerts: ca,
105
+ ocsps: ocspBaseResponses,
106
+ crls,
107
+ });
108
+ const verifyResult = await chainEngine.verify();
109
+ if (!verifyResult.result) {
110
+ return {
111
+ success: false,
112
+ errorMessage: verifyResult.resultMessage,
113
+ };
114
+ }
115
+ const isEachCertVerified = certs.every((cert) => verifyResult.certificatePath?.find((verifiedCert) => verifiedCert.serialNumber.isEqual(cert.serialNumber)));
116
+ if (!isEachCertVerified) {
117
+ throw new Error('Some of certificates do not belong to chain');
118
+ }
119
+ return {
120
+ success: true,
121
+ };
122
+ }
123
+ catch (err) {
124
+ return {
125
+ success: false,
126
+ errorMessage: err.message,
127
+ };
128
+ }
129
+ }
130
+ }
131
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9oZWxwZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGVBQWUsRUFBRSxNQUFNLFFBQVEsQ0FBQztBQUN6QyxPQUFPLENBQUMsTUFBTSxRQUFRLENBQUM7QUFDdkIsT0FBTyxLQUFLLE1BQU0sT0FBTyxDQUFDO0FBQzFCLE9BQU8sS0FBSyxNQUFNLFlBQVksQ0FBQztBQUMvQixPQUFPLEtBQUssS0FBSyxNQUFNLE9BQU8sQ0FBQztBQUMvQixPQUFPLEVBQUUsaUJBQWlCLEVBQUUsTUFBTSwwQkFBMEIsQ0FBQztBQUU3RCxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBQ3ZDLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxVQUFVLENBQUM7QUFFckMsK0RBQStEO0FBQy9ELGtJQUFrSTtBQUNsSSxJQUFJLENBQUM7SUFDSCxLQUFLLENBQUMsU0FBUyxFQUFFLENBQUM7QUFDcEIsQ0FBQztBQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7SUFDYixJQUFLLEdBQWEsQ0FBQyxPQUFPLEtBQUssb0RBQW9ELEVBQUUsQ0FBQztRQUNwRixLQUFLLENBQUMsU0FBUyxDQUNiLE1BQU0sRUFDTixJQUFJLEtBQUssQ0FBQyxZQUFZLENBQUMsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FDOUUsQ0FBQztJQUNKLENBQUM7QUFDSCxDQUFDO0FBRUQsTUFBTSxPQUFPLGtCQUFrQjtJQUNyQixNQUFNLENBQUMsMEJBQTBCLEdBQUcsaUJBQWlCLEVBQUUsQ0FBQztJQUVoRSxNQUFNLENBQUMsUUFBUSxDQUFDLElBQWlCO1FBQy9CLE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUM7WUFDdEIsYUFBYSxFQUFFLElBQUk7WUFDbkIsT0FBTyxFQUFFLElBQUk7WUFDYixPQUFPLEVBQUUsRUFBRTtZQUNYLFFBQVEsRUFBRSxJQUFJO1lBQ2QsSUFBSSxFQUFFLGFBQWE7WUFDbkIsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQztTQUMzQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsTUFBTSxDQUFDLFFBQVEsQ0FBQyxPQUFlO1FBQzdCLE9BQU8sTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxRQUFRLENBQUMsQ0FBQztJQUNwRSxDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxLQUFhO1FBQ2hDLE1BQU0sUUFBUSxHQUFHLGlFQUFpRSxDQUFDO1FBQ25GLE9BQU8sS0FBSyxDQUFDLEtBQUssQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDckMsQ0FBQztJQUVELE1BQU0sQ0FBQyxTQUFTLENBQUMsT0FBZTtRQUM5QixNQUFNLElBQUksR0FBRyxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ25ELE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQyxTQUFTLENBQUMsSUFBSSxLQUFLLFlBQVksQ0FBQztZQUNqRixFQUFFLEtBQWUsQ0FBQztJQUN0QixDQUFDO0lBRUQsTUFBTSxDQUFDLGlCQUFpQixDQUFDLFNBQXFDLEVBQUUsR0FBVztRQUN6RSxNQUFNLElBQUksR0FDUixPQUFPLFNBQVMsS0FBSyxRQUFRO1lBQzNCLENBQUMsQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDbkUsQ0FBQyxDQUFDLFNBQVMsQ0FBQztRQUNoQixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLE1BQU0sS0FBSyxHQUFHLENBQUMsQ0FBQztRQUNyRSxPQUFPLFNBQVMsSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLEtBQUssRUFBRSxDQUFDLENBQUM7SUFDMUUsQ0FBQztJQUVELE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQyxRQUFnQjtRQUN4QyxNQUFNLEtBQUssR0FBRyxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDekQsTUFBTSxhQUFhLEdBQUcsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRTtZQUNoRCxNQUFNLElBQUksR0FBRyxJQUFJLGVBQWUsQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUV2QyxPQUFPLElBQUksQ0FBQyxNQUFNLEtBQUssSUFBSSxDQUFDLE9BQU8sQ0FBQztRQUN0QyxDQUFDLENBQUMsQ0FBQztRQUVILE9BQU87WUFDTCxLQUFLLEVBQUUsYUFBYSxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUM7WUFDbEMsRUFBRSxFQUFFLGFBQWEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDO1NBQ2hDLENBQUM7SUFDSixDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFnQjtRQUNuQyxNQUFNLEtBQUssR0FBRyxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFekQsT0FBTyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUN0RSxDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFzQjtRQUN6QyxPQUFPLFFBQVEsQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ25FLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLHFCQUFxQixDQUFDLEdBQVc7UUFDNUMsTUFBTSxZQUFZLEdBQUcsTUFBTSxrQkFBa0IsQ0FBQywwQkFBMEIsQ0FBQyxJQUFJLENBQzNFLEdBQUcsRUFDSCxLQUFLLElBQUksRUFBRTtZQUNULE1BQU0sUUFBUSxHQUFHLE1BQU0sS0FBSyxDQUFDLEdBQUcsRUFBRTtnQkFDaEMsWUFBWSxFQUFFLGFBQWE7YUFDNUIsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxRQUFRLEVBQUUsSUFBSSxDQUFDO1FBQ3hCLENBQUMsRUFDRDtZQUNFLEdBQUcsRUFBRSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxPQUFPO1NBQzVCLENBQ0YsQ0FBQztRQUVGLE9BQU8sWUFBWSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLGlCQUFpQixDQUM1QixRQUEyQixFQUMzQixLQUF3QixFQUN4QixVQUFpQyxFQUFFO1FBRW5DLE1BQU0sRUFBRSxPQUFPLEVBQUUsR0FBRyxPQUFPLENBQUM7UUFDNUIsTUFBTSxVQUFVLEdBQUcsQ0FBQyxLQUF3QixFQUF1QixFQUFFO1lBQ25FLE1BQU0sVUFBVSxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsa0JBQWtCLENBQUMsYUFBYSxDQUFDLEtBQUssQ0FBQyxDQUFDO1lBQzFGLE9BQU8sVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQ2hDLEtBQUssQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUNoRSxDQUFDO1FBQ0osQ0FBQyxDQUFDO1FBQ0YsTUFBTSxLQUFLLEdBQUcsVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRW5DLGlEQUFpRDtRQUNqRCxLQUFLLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBSyxFQUFFLE1BQU0sRUFBRSxFQUFFO1lBQzNCLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQ3pDLE9BQU8sQ0FBQyxDQUFDLENBQUM7WUFDWixDQUFDO2lCQUFNLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7Z0JBQ2hELE9BQU8sQ0FBQyxDQUFDO1lBQ1gsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLE9BQU8sQ0FBQyxDQUFDO1lBQ1gsQ0FBQztRQUNILENBQUMsQ0FBQyxDQUFDO1FBRUgsTUFBTSxFQUFFLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRTdCLElBQUksQ0FBQztZQUNILE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxNQUFNLFNBQVMsQ0FBQyxlQUFlLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDbkUsTUFBTSxpQkFBaUIsR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxVQUFVLENBQUMsd0JBQXdCLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBRTlGLE1BQU0sV0FBVyxHQUFHLElBQUksS0FBSyxDQUFDLGdDQUFnQyxDQUFDO2dCQUM3RCxLQUFLO2dCQUNMLFlBQVksRUFBRSxFQUFFO2dCQUNoQixLQUFLLEVBQUUsaUJBQWlCO2dCQUN4QixJQUFJO2FBQ0wsQ0FBQyxDQUFDO1lBRUgsTUFBTSxZQUFZLEdBQUcsTUFBTSxXQUFXLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDaEQsSUFBSSxDQUFDLFlBQVksQ0FBQyxNQUFNLEVBQUUsQ0FBQztnQkFDekIsT0FBTztvQkFDTCxPQUFPLEVBQUUsS0FBSztvQkFDZCxZQUFZLEVBQUUsWUFBWSxDQUFDLGFBQWE7aUJBQ3pDLENBQUM7WUFDSixDQUFDO1lBRUQsTUFBTSxrQkFBa0IsR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FDOUMsWUFBWSxDQUFDLGVBQWUsRUFBRSxJQUFJLENBQUMsQ0FBQyxZQUFZLEVBQUUsRUFBRSxDQUNsRCxZQUFZLENBQUMsWUFBWSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQ3JELENBQ0YsQ0FBQztZQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO2dCQUN4QixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7WUFDakUsQ0FBQztZQUVELE9BQU87Z0JBQ0wsT0FBTyxFQUFFLElBQUk7YUFDZCxDQUFDO1FBQ0osQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLFlBQVksRUFBRyxHQUFhLENBQUMsT0FBTzthQUNyQyxDQUFDO1FBQ0osQ0FBQztJQUNILENBQUMifQ==
package/dist/mjs/certificates/index.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export * from './helper.js';
2
+ export * from './types.js';
package/dist/mjs/certificates/index.js ADDED
@@ -0,0 +1,3 @@
1
+ export * from './helper.js';
2
+ export * from './types.js';
3
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsYUFBYSxDQUFDO0FBQzVCLGNBQWMsWUFBWSxDQUFDIn0=
package/dist/mjs/certificates/ocsp.d.ts ADDED
@@ -0,0 +1,9 @@
1
+ import * as pkijs from 'pkijs';
2
+ export declare class OCSPHelper {
3
+ static getOCSPResponseFromCerts(certs: pkijs.Certificate[], ca: pkijs.Certificate[]): Promise<pkijs.BasicOCSPResponse[]>;
4
+ private static getOCSPRequestData;
5
+ private static getOCSPResponse;
6
+ private static sendOCSPRequest;
7
+ private static getNonceForRequest;
8
+ private static getNonceFromResponse;
9
+ }
package/dist/mjs/certificates/ocsp.js ADDED
@@ -0,0 +1,94 @@
1
+ import * as pkijs from 'pkijs';
2
+ import * as asn1js from 'asn1js';
3
+ import axios from 'axios';
4
+ import { OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION, OID_OCSP_ACCESS_METHOD, OID_OCSP_ISSUER_ACCESS_METHOD, } from '../constants.js';
5
+ import { CertificatesHelper } from './helper.js';
6
+ import { constants, helpers } from '../index.js';
7
+ export class OCSPHelper {
8
+ static async getOCSPResponseFromCerts(certs, ca) {
9
+ const ocspRequestsData = certs
10
+ .map(OCSPHelper.getOCSPRequestData)
11
+ .filter(Boolean);
12
+ if (!ocspRequestsData.length) {
13
+ return [];
14
+ }
15
+ const ocspResponseResults = await Promise.allSettled(ocspRequestsData.map((ocspReqData) => OCSPHelper.getOCSPResponse(ocspReqData, ca)));
16
+ const rejectedOCSPResponses = ocspResponseResults
17
+ .filter(helpers.isRejected)
18
+ .map((result) => result.reason);
19
+ if (rejectedOCSPResponses.length) {
20
+ throw new Error(`Can't get OCSP responses for some certificates (reasons=${rejectedOCSPResponses.join(';\n')})`);
21
+ }
22
+ return ocspResponseResults.filter(helpers.isFulfilled).map((result) => result.value);
23
+ }
24
+ static getOCSPRequestData(cert) {
25
+ const authorityExtension = CertificatesHelper.getExtensionValue(cert, OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION);
26
+ if (!authorityExtension) {
27
+ return;
28
+ }
29
+ const extensionValue = pkijs.ExtensionValueFactory.fromBER(OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION, authorityExtension);
30
+ const ocspUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === OID_OCSP_ACCESS_METHOD)?.accessLocation.value;
31
+ const issuerCertUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === OID_OCSP_ISSUER_ACCESS_METHOD)?.accessLocation.value;
32
+ if (!ocspUrl || !issuerCertUrl) {
33
+ // TODO: throw error?
34
+ return;
35
+ }
36
+ return { ocspUrl, issuerCertUrl, cert };
37
+ }
38
+ static async getOCSPResponse(data, ca) {
39
+ const { ocspUrl, issuerCertUrl, cert } = data;
40
+ const issuerCertRaw = await CertificatesHelper.downloadCertWithCache(issuerCertUrl);
41
+ const issuerCertificate = pkijs.Certificate.fromBER(issuerCertRaw);
42
+ const ocspReq = new pkijs.OCSPRequest();
43
+ await ocspReq.createForCertificate(cert, {
44
+ hashAlgorithm: 'SHA-256',
45
+ issuerCertificate,
46
+ });
47
+ const reqNonce = OCSPHelper.getNonceForRequest();
48
+ ocspReq.tbsRequest.requestExtensions = [
49
+ new pkijs.Extension({
50
+ extnID: constants.OID_OCSP_NONCE,
51
+ extnValue: new asn1js.OctetString({ valueHex: reqNonce.buffer }).toBER(),
52
+ }),
53
+ ];
54
+ const ocspBasicResp = await OCSPHelper.sendOCSPRequest(ocspUrl, ocspReq);
55
+ const respNonce = await OCSPHelper.getNonceFromResponse(ocspBasicResp);
56
+ if (respNonce && Buffer.compare(reqNonce, respNonce) !== 0) {
57
+ throw new Error(`OCSP nonces from request and response do not match`);
58
+ }
59
+ const trustedCerts = [];
60
+ if (!ocspBasicResp.certs) {
61
+ ocspBasicResp.certs = [issuerCertificate];
62
+ trustedCerts.push(...ca);
63
+ }
64
+ else {
65
+ trustedCerts.push(issuerCertificate);
66
+ }
67
+ await ocspBasicResp.verify({ trustedCerts });
68
+ return ocspBasicResp;
69
+ }
70
+ static async sendOCSPRequest(ocspUrl, ocspReq) {
71
+ const ocspResponse = await axios(ocspUrl, {
72
+ method: 'POST',
73
+ headers: {
74
+ 'Content-Type': 'application/ocsp-request',
75
+ },
76
+ responseType: 'arraybuffer',
77
+ data: ocspReq.toSchema(true).toBER(),
78
+ });
79
+ const ocspRespSimpl = pkijs.OCSPResponse.fromBER(ocspResponse.data);
80
+ if (!ocspRespSimpl.responseBytes) {
81
+ throw new Error('"No "ResponseBytes" in the OCSP Response - nothing to verify');
82
+ }
83
+ const ocspBasicResp = pkijs.BasicOCSPResponse.fromBER(ocspRespSimpl.responseBytes.response.valueBlock.valueHexView);
84
+ return ocspBasicResp;
85
+ }
86
+ static getNonceForRequest() {
87
+ return pkijs.getRandomValues(new Uint8Array(32));
88
+ }
89
+ static getNonceFromResponse(ocspBasicResp) {
90
+ const nonceExtension = ocspBasicResp.tbsResponseData?.responseExtensions?.find((extension) => extension.extnID === constants.OID_OCSP_NONCE);
91
+ return nonceExtension?.extnValue.valueBlock.valueHexView;
92
+ }
93
+ }
94
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2NzcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvb2NzcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssS0FBSyxNQUFNLE9BQU8sQ0FBQztBQUMvQixPQUFPLEtBQUssTUFBTSxNQUFNLFFBQVEsQ0FBQztBQUNqQyxPQUFPLEtBQUssTUFBTSxPQUFPLENBQUM7QUFDMUIsT0FBTyxFQUNMLDBDQUEwQyxFQUMxQyxzQkFBc0IsRUFDdEIsNkJBQTZCLEdBQzlCLE1BQU0saUJBQWlCLENBQUM7QUFDekIsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBQ2pELE9BQU8sRUFBRSxTQUFTLEVBQUUsT0FBTyxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBSWpELE1BQU0sT0FBTyxVQUFVO0lBQ3JCLE1BQU0sQ0FBQyxLQUFLLENBQUMsd0JBQXdCLENBQ25DLEtBQTBCLEVBQzFCLEVBQXVCO1FBRXZCLE1BQU0sZ0JBQWdCLEdBQUcsS0FBSzthQUMzQixHQUFHLENBQUMsVUFBVSxDQUFDLGtCQUFrQixDQUFDO2FBQ2xDLE1BQU0sQ0FBQyxPQUFPLENBQXNCLENBQUM7UUFFeEMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQzdCLE9BQU8sRUFBRSxDQUFDO1FBQ1osQ0FBQztRQUVELE1BQU0sbUJBQW1CLEdBQUcsTUFBTSxPQUFPLENBQUMsVUFBVSxDQUNsRCxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQyxXQUFXLEVBQUUsRUFBRSxDQUFDLFVBQVUsQ0FBQyxlQUFlLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQ25GLENBQUM7UUFFRixNQUFNLHFCQUFxQixHQUFHLG1CQUFtQjthQUM5QyxNQUFNLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQzthQUMxQixHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNsQyxJQUFJLHFCQUFxQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQ2IsMkRBQTJELHFCQUFxQixDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUNoRyxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sbUJBQW1CLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRU8sTUFBTSxDQUFDLGtCQUFrQixDQUFDLElBQXVCO1FBQ3ZELE1BQU0sa0JBQWtCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQzdELElBQUksRUFDSiwwQ0FBMEMsQ0FDM0MsQ0FBQztRQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQ3hCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsS0FBSyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDeEQsMENBQTBDLEVBQzFDLGtCQUFrQixDQUNFLENBQUM7UUFFdkIsTUFBTSxPQUFPLEdBQUcsY0FBYyxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FDcEQsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxZQUFZLEtBQUssc0JBQXNCLENBQ3ZELEVBQUUsY0FBYyxDQUFDLEtBQUssQ0FBQztRQUV4QixNQUFNLGFBQWEsR0FBRyxjQUFjLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUMxRCxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLFlBQVksS0FBSyw2QkFBNkIsQ0FDOUQsRUFBRSxjQUFjLENBQUMsS0FBSyxDQUFDO1FBRXhCLElBQUksQ0FBQyxPQUFPLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUMvQixxQkFBcUI7WUFDckIsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPLEVBQUUsT0FBTyxFQUFFLGFBQWEsRUFBRSxJQUFJLEVBQUUsQ0FBQztJQUMxQyxDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxlQUFlLENBQ2xDLElBQXFCLEVBQ3JCLEVBQXVCO1FBRXZCLE1BQU0sRUFBRSxPQUFPLEVBQUUsYUFBYSxFQUFFLElBQUksRUFBRSxHQUFHLElBQUksQ0FBQztRQUM5QyxNQUFNLGFBQWEsR0FBRyxNQUFNLGtCQUFrQixDQUFDLHFCQUFxQixDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBQ3BGLE1BQU0saUJBQWlCLEdBQUcsS0FBSyxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDbkUsTUFBTSxPQUFPLEdBQUcsSUFBSSxLQUFLLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDeEMsTUFBTSxPQUFPLENBQUMsb0JBQW9CLENBQUMsSUFBSSxFQUFFO1lBQ3ZDLGFBQWEsRUFBRSxTQUFTO1lBQ3hCLGlCQUFpQjtTQUNsQixDQUFDLENBQUM7UUFDSCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztRQUNqRCxPQUFPLENBQUMsVUFBVSxDQUFDLGlCQUFpQixHQUFHO1lBQ3JDLElBQUksS0FBSyxDQUFDLFNBQVMsQ0FBQztnQkFDbEIsTUFBTSxFQUFFLFNBQVMsQ0FBQyxjQUFjO2dCQUNoQyxTQUFTLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLEtBQUssRUFBRTthQUN6RSxDQUFDO1NBQ0gsQ0FBQztRQUVGLE1BQU0sYUFBYSxHQUFHLE1BQU0sVUFBVSxDQUFDLGVBQWUsQ0FBQyxPQUFPLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFFekUsTUFBTSxTQUFTLEdBQUcsTUFBTSxVQUFVLENBQUMsb0JBQW9CLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDdkUsSUFBSSxTQUFTLElBQUksTUFBTSxDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsU0FBUyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDM0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxvREFBb0QsQ0FBQyxDQUFDO1FBQ3hFLENBQUM7UUFFRCxNQUFNLFlBQVksR0FBd0IsRUFBRSxDQUFDO1FBQzdDLElBQUksQ0FBQyxhQUFhLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDekIsYUFBYSxDQUFDLEtBQUssR0FBRyxDQUFDLGlCQUFpQixDQUFDLENBQUM7WUFDMUMsWUFBWSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO1FBQzNCLENBQUM7YUFBTSxDQUFDO1lBQ04sWUFBWSxDQUFDLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7UUFFRCxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsRUFBRSxZQUFZLEVBQUUsQ0FBQyxDQUFDO1FBQzdDLE9BQU8sYUFBYSxDQUFDO0lBQ3ZCLENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLGVBQWUsQ0FDbEMsT0FBZSxFQUNmLE9BQTBCO1FBRTFCLE1BQU0sWUFBWSxHQUFHLE1BQU0sS0FBSyxDQUFDLE9BQU8sRUFBRTtZQUN4QyxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU8sRUFBRTtnQkFDUCxjQUFjLEVBQUUsMEJBQTBCO2FBQzNDO1lBQ0QsWUFBWSxFQUFFLGFBQWE7WUFDM0IsSUFBSSxFQUFFLE9BQU8sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBSyxFQUFFO1NBQ3JDLENBQUMsQ0FBQztRQUVILE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNwRSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQUMsOERBQThELENBQUMsQ0FBQztRQUNsRixDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FDbkQsYUFBYSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLFlBQVksQ0FDN0QsQ0FBQztRQUVGLE9BQU8sYUFBYSxDQUFDO0lBQ3ZCLENBQUM7SUFFTyxNQUFNLENBQUMsa0JBQWtCO1FBQy9CLE9BQU8sS0FBSyxDQUFDLGVBQWUsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ25ELENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQ2pDLGFBQXNDO1FBRXRDLE1BQU0sY0FBYyxHQUFHLGFBQWEsQ0FBQyxlQUFlLEVBQUUsa0JBQWtCLEVBQUUsSUFBSSxDQUM1RSxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsU0FBUyxDQUFDLE1BQU0sS0FBSyxTQUFTLENBQUMsY0FBYyxDQUM3RCxDQUFDO1FBQ0YsT0FBTyxjQUFjLEVBQUUsU0FBUyxDQUFDLFVBQVUsQ0FBQyxZQUFZLENBQUM7SUFDM0QsQ0FBQztDQUNGIn0=
package/dist/mjs/certificates/types.d.ts ADDED
@@ -0,0 +1,4 @@
1
+ export type ValidateCertChainResult = {
2
+ success: boolean;
3
+ errorMessage?: string;
4
+ };
package/dist/mjs/certificates/types.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL3R5cGVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiIifQ==
package/dist/mjs/constants.d.ts CHANGED
@@ -33,4 +33,9 @@ export declare const OID_CUSTOM_EXTENSION_ORDER_REPORT_HARDWARE_CONTEXT = "1.3.6
33
33
  export declare const OID_CUSTOM_EXTENSION_ORDER_REPORT_SIGNATURE_KEY_HASH = "1.3.6.1.3.8888.2.2";
34
34
  export declare const OID_CUSTOM_EXTENSION_ORDER_REPORT_WORKLOAD_INFO_HASH = "1.3.6.1.3.8888.2.3";
35
35
  export declare const OID_CUSTOM_EXTENSION_ORDER_REPORT_HASH = "1.3.6.1.3.8888.2.4";
36
+ export declare const OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION = "1.3.6.1.5.5.7.1.1";
37
+ export declare const OID_CRL_DISTRIBUTION_POINTS = "2.5.29.31";
38
+ export declare const OID_OCSP_ACCESS_METHOD = "1.3.6.1.5.5.7.48.1";
39
+ export declare const OID_OCSP_ISSUER_ACCESS_METHOD = "1.3.6.1.5.5.7.48.2";
40
+ export declare const OID_OCSP_NONCE = "1.3.6.1.5.5.7.48.1.2";
36
41
  export declare const SUPERPROTOCOL_CA = "-----BEGIN CERTIFICATE-----\nMIIWgTCCFWmgAwIBAgIBATANBgkqhkiG9w0BAQsFADB2MSIwIAYDVQQDExlTdXBl\nclByb3RvY29sIFRFRSBSb290IENBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkx\nETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYDVQQKEw1TdXBlclByb3RvY29sMQswCQYD\nVQQLEwJJVDAeFw0yNDA4MDEwMDAwMDBaFw0zNDA4MDEwMDAwMDBaMHYxIjAgBgNV\nBAMTGVN1cGVyUHJvdG9jb2wgVEVFIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMQswCQYD\nVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxFjAUBgNVBAoTDVN1cGVyUHJvdG9j\nb2wxCzAJBgNVBAsTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nzglA7RQrU/3zTBOPToH8awa9H+bbuKIgXI7f04HIaLNSrbmiBM/4VndGHRJeW8YC\nNk9uI/A1asGn8YZZTwO9PoSFoxECcAicoVZBKCiu6rSwfCMtyrT96vSPgFM5rkJU\nkof7Sq+hiHM9gEyVgVnaj/bgqMFH6VbOQIRoXRp7TsfCGNrN5biOG4JZXN6i++jq\nZ8jRVWxJxmIOPenStyo56HxH77UzVmS6cP4h3ZSrU+dfzDzCt2DOYu70AL84xGEL\n8DrbzEkVsJ9hfgYEbrlqz1ZUxRK/sePzbpSMjLQgmpG19cO8Fiiw97zCMZ7cqaMm\nsw3QR+qDMr0F7/NwbVo3uwIDAQABo4ITGDCCExQwDAYDVR0TBAUwAwEB/zALBgNV\nHQ8EBAMCAvQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW\nBBSQ7zEN1IhJiwxL6iijRvUGOEPTAzAmBgNVHREEHzAdghtjYS50ZWUtZGV2LnN1\ncGVycHJvdG9jb2wuaW8wghKPBgsGCSqGSIb4TYo5BgSCEn4DAAIAAAAAAAkADQCT\nmnIz95xMqZQKDbOVfwYHG66I9FykKwvt/jQQCevuIgAAAAALDhAP//8AAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAAAAAAOcAAAAA\nAAAAGs00+IfPwYb3wq4VwoEW0198mjskxvWclPjltUG9B2UAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAADTqfKiANP6A8gnpfND4RC97piHrKl9gOTqwWHGu\na5edAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAJ+nweKqz+nQJEZBiHgbktLiaAZj+hbLMUzRQaXO\n5vUbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKEAAAOBkNJBM9MpAE\n1ULeXAvIzhmBokK1V69OIzmM8/sCqbNFnU3UXTvkkwGMJyV0Hxmrx5zwONSlFa7Y\nZUFe6JaOZdAHH3Sp7tOMqu9V942UT6y+BHHTHbBW4BWqPppF2uhRn5lIBy8UZAS6\nWt6ZFEiOkCTQDGrMrV7EA/ABcYpZss0LDhAP//8AAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVAAAAAAAAAOcAAAAAAAAAzh2omsH1SoBy\nV8TlfHgUDLxmUtTVh9YPBYMSWieSvnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAIxPV3XXllA+lhN/d8aKgpoAVqyN7XAUCwgbCUSQxXv/AAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAJAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAKP9h/uxkPlnxiBt+FJ1sCWR3TZxtbgnqHBtPilCnsc/AAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD9bSJMCJpO6weDPAs3WXRDR3mnj9UdEZXL\nyaQ/Qviq6A3jVtUIoKhYOjL3W36u+zK1jbZ+90kgTbFuPcXo6VxdIAAAAQIDBAUG\nBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHwUAYg4AAC0tLS0tQkVHSU4gQ0VSVElG\nSUNBVEUtLS0tLQpNSUlFOGpDQ0JKaWdBd0lCQWdJVWZ3Nm44NU9Ob2FkQjh1TmVN\nd0ZtWS9iZWlRVXdDZ1lJS29aSXpqMEVBd0l3CmNERWlNQ0FHQTFVRUF3d1pTVzUw\nWld3Z1UwZFlJRkJEU3lCUWJHRjBabTl5YlNCRFFURWFNQmdHQTFVRUNnd1IKU1c1\nMFpXd2dRMjl5Y0c5eVlYUnBiMjR4RkRBU0JnTlZCQWNNQzFOaGJuUmhJRU5zWVhK\naE1Rc3dDUVlEVlFRSQpEQUpEUVRFTE1Ba0dBMVVFQmhNQ1ZWTXdIaGNOTWpNd016\nQTVNVGN3TVRFMFdoY05NekF3TXpBNU1UY3dNVEUwCldqQndNU0l3SUFZRFZRUURE\nQmxKYm5SbGJDQlRSMWdnVUVOTElFTmxjblJwWm1sallYUmxNUm93R0FZRFZRUUsK\nREJGSmJuUmxiQ0JEYjNKd2IzSmhkR2x2YmpFVU1CSUdBMVVFQnd3TFUyRnVkR0Vn\nUTJ4aGNtRXhDekFKQmdOVgpCQWdNQWtOQk1Rc3dDUVlEVlFRR0V3SlZVekJaTUJN\nR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRk83CmlveHJwNFBoOXNwTXE2\nbDRKc05YSVVCeE9jR21rREFXNDJrZ3NBOWwvS3ZFNkRJRmpyLzF3UTdMcjRQdUln\nUEsKV2F3aHBrUnJYaDZadk5uWFpCZWpnZ01PTUlJRENqQWZCZ05WSFNNRUdEQVdn\nQlNWYjEzTnZSdmg2VUJKeWRUMApNODRCVnd2ZVZEQnJCZ05WSFI4RVpEQmlNR0Nn\nWHFCY2hscG9kSFJ3Y3pvdkwyRndhUzUwY25WemRHVmtjMlZ5CmRtbGpaWE11YVc1\nMFpXd3VZMjl0TDNObmVDOWpaWEowYVdacFkyRjBhVzl1TDNZMEwzQmphMk55YkQ5\nallUMXcKYkdGMFptOXliU1psYm1OdlpHbHVaejFrWlhJd0hRWURWUjBPQkJZRUZI\nZ2FucEY0VXV2SmpCZ2VEQmgvM0xvbAoxU3dwTUE0R0ExVWREd0VCL3dRRUF3SUd3\nREFNQmdOVkhSTUJBZjhFQWpBQU1JSUNPd1lKS29aSWh2aE5BUTBCCkJJSUNMREND\nQWlnd0hnWUtLb1pJaHZoTkFRMEJBUVFRUDVwUHZoK0VwcVMxSkpRdGVXN0JrREND\nQVdVR0NpcUcKU0liNFRRRU5BUUl3Z2dGVk1CQUdDeXFHU0liNFRRRU5BUUlCQWdF\nSE1CQUdDeXFHU0liNFRRRU5BUUlDQWdFSgpNQkFHQ3lxR1NJYjRUUUVOQVFJREFn\nRURNQkFHQ3lxR1NJYjRUUUVOQVFJRUFnRURNQkVHQ3lxR1NJYjRUUUVOCkFRSUZB\nZ0lBL3pBUkJnc3Foa2lHK0UwQkRRRUNCZ0lDQVA4d0VBWUxLb1pJaHZoTkFRMEJB\nZ2NDQVFBd0VBWUwKS29aSWh2aE5BUTBCQWdnQ0FRQXdFQVlMS29aSWh2aE5BUTBC\nQWdrQ0FRQXdFQVlMS29aSWh2aE5BUTBCQWdvQwpBUUF3RUFZTEtvWklodmhOQVEw\nQkFnc0NBUUF3RUFZTEtvWklodmhOQVEwQkFnd0NBUUF3RUFZTEtvWklodmhOCkFR\nMEJBZzBDQVFBd0VBWUxLb1pJaHZoTkFRMEJBZzRDQVFBd0VBWUxLb1pJaHZoTkFR\nMEJBZzhDQVFBd0VBWUwKS29aSWh2aE5BUTBCQWhBQ0FRQXdFQVlMS29aSWh2aE5B\nUTBCQWhFQ0FRMHdId1lMS29aSWh2aE5BUTBCQWhJRQpFQWNKQXdQLy93QUFBQUFB\nQUFBQUFBQXdFQVlLS29aSWh2aE5BUTBCQXdRQ0FBQXdGQVlLS29aSWh2aE5BUTBC\nCkJBUUdNR0JxQUFBQU1BOEdDaXFHU0liNFRRRU5BUVVLQVFFd0hnWUtLb1pJaHZo\nTkFRMEJCZ1FRVnZnMnVWdHYKMU1rM0xTYU9mSjRWSkRCRUJnb3Foa2lHK0UwQkRR\nRUhNRFl3RUFZTEtvWklodmhOQVEwQkJ3RUJBZjh3RUFZTApLb1pJaHZoTkFRMEJC\nd0lCQWY4d0VBWUxLb1pJaHZoTkFRMEJCd01CQWY4d0NnWUlLb1pJemowRUF3SURT\nQUF3ClJRSWhBSWVacWV6bGxETEZjcEFYVmlrellqVVFvOEtGVllqY05SOU14TXFh\nMHRjaUFpQUgvcGYzZ3VKMEhpTVkKWUN4QTRFZGZWcGVBZ3p3WnEweEpuNlNRN2tV\nK3BBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJ\nRklDQVRFLS0tLS0KTUlJQ2xqQ0NBajJnQXdJQkFnSVZBSlZ2WGMyOUcrSHBRRW5K\nMVBRenpnRlhDOTVVTUFvR0NDcUdTTTQ5QkFNQwpNR2d4R2pBWUJnTlZCQU1NRVVs\ndWRHVnNJRk5IV0NCU2IyOTBJRU5CTVJvd0dBWURWUVFLREJGSmJuUmxiQ0JECmIz\nSndiM0poZEdsdmJqRVVNQklHQTFVRUJ3d0xVMkZ1ZEdFZ1EyeGhjbUV4Q3pBSkJn\nTlZCQWdNQWtOQk1Rc3cKQ1FZRFZRUUdFd0pWVXpBZUZ3MHhPREExTWpFeE1EVXdN\nVEJhRncwek16QTFNakV4TURVd01UQmFNSEF4SWpBZwpCZ05WQkFNTUdVbHVkR1Zz\nSUZOSFdDQlFRMHNnVUd4aGRHWnZjbTBnUTBFeEdqQVlCZ05WQkFvTUVVbHVkR1Zz\nCklFTnZjbkJ2Y21GMGFXOXVNUlF3RWdZRFZRUUhEQXRUWVc1MFlTQkRiR0Z5WVRF\nTE1Ba0dBMVVFQ0F3Q1EwRXgKQ3pBSkJnTlZCQVlUQWxWVE1Ga3dFd1lIS29aSXpq\nMENBUVlJS29aSXpqMERBUWNEUWdBRU5TQi83dDIxbFhTTwoyQ3V6cHh3NzRlSkI3\nMkV5REdnVzVyWEN0eDJ0VlRMcTZoS2s2eitVaVJaQ25xUjdwc092Z3FGZVN4bG1U\nbEpsCmVUbWkyV1l6M3FPQnV6Q0J1REFmQmdOVkhTTUVHREFXZ0JRaVpReldXcDAw\naWZPRHRKVlN2MUFiT1NjR3JEQlMKQmdOVkhSOEVTekJKTUVlZ1JhQkRoa0ZvZEhS\nd2N6b3ZMMk5sY25ScFptbGpZWFJsY3k1MGNuVnpkR1ZrYzJWeQpkbWxqWlhNdWFX\nNTBaV3d1WTI5dEwwbHVkR1ZzVTBkWVVtOXZkRU5CTG1SbGNqQWRCZ05WSFE0RUZn\nUVVsVzlkCnpiMGI0ZWxBU2NuVTlEUE9BVmNMM2xRd0RnWURWUjBQQVFIL0JBUURB\nZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKQWY4Q0FRQXdDZ1lJS29aSXpqMEVBd0lE\nUndBd1JBSWdYc1ZraTB3K2k2VllHVzNVRi8yMnVhWGUwWUpEajFVZQpuQStUakQx\nYWk1Y0NJQ1liMVNBbUQ1eGtmVFZwdm80VW95aVNZeHJEV0xtVVI0Q0k5Tkt5ZlBO\nKwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNB\nVEUtLS0tLQpNSUlDanpDQ0FqU2dBd0lCQWdJVUltVU0xbHFkTkluemc3U1ZVcjlR\nR3prbkJxd3dDZ1lJS29aSXpqMEVBd0l3CmFERWFNQmdHQTFVRUF3d1JTVzUwWld3\nZ1UwZFlJRkp2YjNRZ1EwRXhHakFZQmdOVkJBb01FVWx1ZEdWc0lFTnYKY25CdmNt\nRjBhVzl1TVJRd0VnWURWUVFIREF0VFlXNTBZU0JEYkdGeVlURUxNQWtHQTFVRUNB\nd0NRMEV4Q3pBSgpCZ05WQkFZVEFsVlRNQjRYRFRFNE1EVXlNVEV3TkRVeE1Gb1hE\nVFE1TVRJek1USXpOVGsxT1Zvd2FERWFNQmdHCkExVUVBd3dSU1c1MFpXd2dVMGRZ\nSUZKdmIzUWdRMEV4R2pBWUJnTlZCQW9NRVVsdWRHVnNJRU52Y25CdmNtRjAKYVc5\ndU1SUXdFZ1lEVlFRSERBdFRZVzUwWVNCRGJHRnlZVEVMTUFrR0ExVUVDQXdDUTBF\neEN6QUpCZ05WQkFZVApBbFZUTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFR\nY0RRZ0FFQzZuRXdNRElZWk9qL2lQV3NDemFFS2k3CjFPaU9TTFJGaFdHamJuQlZK\nZlZua1k0dTNJamtEWVlMME14TzRtcXN5WWpsQmFsVFZZeEZQMnNKQks1emxLT0IK\ndXpDQnVEQWZCZ05WSFNNRUdEQVdnQlFpWlF6V1dwMDBpZk9EdEpWU3YxQWJPU2NH\nckRCU0JnTlZIUjhFU3pCSgpNRWVnUmFCRGhrRm9kSFJ3Y3pvdkwyTmxjblJwWm1s\nallYUmxjeTUwY25WemRHVmtjMlZ5ZG1salpYTXVhVzUwClpXd3VZMjl0TDBsdWRH\nVnNVMGRZVW05dmRFTkJMbVJsY2pBZEJnTlZIUTRFRmdRVUltVU0xbHFkTkluemc3\nU1YKVXI5UUd6a25CcXd3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIv\nd1FJTUFZQkFmOENBUUV3Q2dZSQpLb1pJemowRUF3SURTUUF3UmdJaEFPVy81UWtS\nK1M5Q2lTRGNOb293THVQUkxzV0dmL1lpN0dTWDk0Qmd3VHdnCkFpRUE0SjBsckhv\nTXMrWG81by9zWDZPOVFXeEhSQXZaVUdPZFJRN2N2cVJYYXFJPQotLS0tLUVORCBD\nRVJUSUZJQ0FURS0tLS0tCgAwDQYJKoZIhvcNAQELBQADggEBAGHbT1NQEW0t5uYp\nmskVka8DDrgVEM8She2htuRXNeeTpaImsFWQhQeSqlK/yc3NH2/+RfGGu4UT/zgS\n4T/oLc8HosQFZxkvcESz1YKtSqHYhfuavlDuR6K0/RS6wy1dADvA6X3b57dJ81EP\nZ/dda6qpPxXBiwhpfcFJtpiP0tIYhS6LJgFnSAdEE9G1HwYUrCYsjQ2LCgBQDqYB\n9AWDmUBh8SSdRQzYJfmHG8LTXox/8mD9Hq8HPhzEzSFwu/Yy+KZX9uxEw0vPvmVI\nbalDQD+0bddS+Jvj4ELLmKRk/yX51Lqx6YYr0rSX7t9RaI9F9muzzQ4mWzWA6ief\nYwF1StA=\n-----END CERTIFICATE-----";