@super-protocol/sdk-js 4.0.15 → 4.0.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/certificates/attr-cert.d.ts +1 -1
- package/dist/cjs/certificates/attr-cert.js +4 -4
- package/dist/cjs/certificates/crl.d.ts +1 -1
- package/dist/cjs/certificates/crl.js +4 -4
- package/dist/cjs/certificates/helper.js +3 -3
- package/dist/cjs/certificates/index.d.ts +1 -1
- package/dist/cjs/certificates/index.js +2 -2
- package/dist/cjs/certificates/ocsp.d.ts +1 -1
- package/dist/cjs/certificates/ocsp.js +11 -11
- package/dist/cjs/certificates/{generator.d.ts → x509.d.ts} +1 -1
- package/dist/cjs/certificates/x509.js +237 -0
- package/dist/mjs/certificates/attr-cert.d.ts +1 -1
- package/dist/mjs/certificates/attr-cert.js +2 -2
- package/dist/mjs/certificates/crl.d.ts +1 -1
- package/dist/mjs/certificates/crl.js +2 -2
- package/dist/mjs/certificates/helper.js +5 -5
- package/dist/mjs/certificates/index.d.ts +1 -1
- package/dist/mjs/certificates/index.js +2 -2
- package/dist/mjs/certificates/ocsp.d.ts +1 -1
- package/dist/mjs/certificates/ocsp.js +9 -9
- package/dist/mjs/certificates/{generator.d.ts → x509.d.ts} +1 -1
- package/dist/mjs/certificates/x509.js +230 -0
- package/package.json +2 -2
- package/dist/cjs/certificates/generator.js +0 -237
- package/dist/mjs/certificates/generator.js +0 -230
|
@@ -1,237 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.CertificateGenerator = void 0;
|
|
7
|
-
const assert_1 = __importDefault(require("assert"));
|
|
8
|
-
const node_forge_1 = __importDefault(require("node-forge"));
|
|
9
|
-
const x509_1 = require("@peculiar/x509");
|
|
10
|
-
const setup_crypto_js_1 = require("./setup-crypto.js");
|
|
11
|
-
const CryptoKeysTransformer_js_1 = require("../utils/CryptoKeysTransformer.js");
|
|
12
|
-
const helper_js_1 = require("../utils/helper.js");
|
|
13
|
-
const helper_js_2 = require("./helper.js");
|
|
14
|
-
const ONE_HOUR_MS = 60 * 60 * 1000; // 1 hour in milliseconds
|
|
15
|
-
const notAllowedCertificateCustomExtensions = [...Object.values(node_forge_1.default.pki.oids)];
|
|
16
|
-
class CertificateGenerator {
|
|
17
|
-
/**
|
|
18
|
-
* Generates certificate based on the provided parameters.
|
|
19
|
-
* @param params - Parameters for generating the certificate.
|
|
20
|
-
* @returns The generated certificate in PEM format.
|
|
21
|
-
*/
|
|
22
|
-
static async generateCert(params) {
|
|
23
|
-
const ca = Boolean(params.ca);
|
|
24
|
-
const { publicKey: subjectPublicKey, privateKey: signerPrivateKey } = await CertificateGenerator.getCryptoKeys(params);
|
|
25
|
-
const signingAlgorithm = subjectPublicKey.algorithm;
|
|
26
|
-
const extensions = [new x509_1.BasicConstraintsExtension(ca, undefined, true)];
|
|
27
|
-
const extendedKeyUsageItems = [];
|
|
28
|
-
if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
|
|
29
|
-
const generalNames = params.dnsNames.map((dnsName) => ({
|
|
30
|
-
type: ((0, helper_js_1.isIpAddress)(dnsName) ? 'ip' : 'dns'),
|
|
31
|
-
value: dnsName,
|
|
32
|
-
}));
|
|
33
|
-
extensions.push(new x509_1.SubjectAlternativeNameExtension(generalNames));
|
|
34
|
-
extendedKeyUsageItems.push(...[x509_1.ExtendedKeyUsage.serverAuth, x509_1.ExtendedKeyUsage.clientAuth]);
|
|
35
|
-
}
|
|
36
|
-
if (params.ocspSigning) {
|
|
37
|
-
extendedKeyUsageItems.push(x509_1.ExtendedKeyUsage.ocspSigning);
|
|
38
|
-
}
|
|
39
|
-
if (params.ocspExtension) {
|
|
40
|
-
const { ocspUrl, issuerCertUrl } = params.ocspExtension;
|
|
41
|
-
extensions.push(new x509_1.AuthorityInfoAccessExtension({
|
|
42
|
-
ocsp: [ocspUrl],
|
|
43
|
-
...(issuerCertUrl ? { caIssuers: [issuerCertUrl] } : {}),
|
|
44
|
-
}));
|
|
45
|
-
}
|
|
46
|
-
if (extendedKeyUsageItems.length) {
|
|
47
|
-
extensions.push(new x509_1.ExtendedKeyUsageExtension(extendedKeyUsageItems, false));
|
|
48
|
-
}
|
|
49
|
-
let keyUsageFlags = x509_1.KeyUsageFlags.digitalSignature | x509_1.KeyUsageFlags.keyEncipherment;
|
|
50
|
-
if (params.ca) {
|
|
51
|
-
keyUsageFlags |= x509_1.KeyUsageFlags.keyCertSign;
|
|
52
|
-
}
|
|
53
|
-
extensions.push(new x509_1.KeyUsagesExtension(keyUsageFlags, true));
|
|
54
|
-
const signerPublicKey = await CryptoKeysTransformer_js_1.CryptoKeysTransformer.cryptoPublicFromCryptoPrivate(signerPrivateKey);
|
|
55
|
-
extensions.push(...[
|
|
56
|
-
await x509_1.AuthorityKeyIdentifierExtension.create(signerPublicKey),
|
|
57
|
-
await x509_1.SubjectKeyIdentifierExtension.create(subjectPublicKey),
|
|
58
|
-
]);
|
|
59
|
-
if (params.customExtensions?.length) {
|
|
60
|
-
const filteredExtensions = params.customExtensions.filter((ext) => !notAllowedCertificateCustomExtensions.includes(ext.oid));
|
|
61
|
-
for (const customExtension of filteredExtensions) {
|
|
62
|
-
if (!customExtension.oid || !customExtension.value) {
|
|
63
|
-
throw new Error('Custom extension OID and value are required');
|
|
64
|
-
}
|
|
65
|
-
extensions.push(new x509_1.Extension(customExtension.oid, false, customExtension.value));
|
|
66
|
-
}
|
|
67
|
-
}
|
|
68
|
-
const createCertificateParams = {
|
|
69
|
-
serialNumber: helper_js_2.CertificatesHelper.generateSerialNumber().toString(16),
|
|
70
|
-
issuer: helper_js_2.CertificatesHelper.serializePrincipalInfo(params.issuer),
|
|
71
|
-
subject: helper_js_2.CertificatesHelper.serializePrincipalInfo(params.subject),
|
|
72
|
-
notBefore: new Date(Date.now() - ONE_HOUR_MS), //1 hour ago to avoid clock skew issues between servers
|
|
73
|
-
notAfter: params.notAfter,
|
|
74
|
-
publicKey: subjectPublicKey,
|
|
75
|
-
signingKey: signerPrivateKey,
|
|
76
|
-
signingAlgorithm,
|
|
77
|
-
extensions,
|
|
78
|
-
};
|
|
79
|
-
const cert = await x509_1.X509CertificateGenerator.create(createCertificateParams);
|
|
80
|
-
return cert.toString('pem');
|
|
81
|
-
}
|
|
82
|
-
/**
|
|
83
|
-
* Generates a pair of cryptographic keys based on the specified signature algorithm.
|
|
84
|
-
* @param signatureAlgorithm - The algorithm to use for key generation.
|
|
85
|
-
* @returns A promise that resolves to a CryptoKeyPair containing the public and private keys.
|
|
86
|
-
*/
|
|
87
|
-
static generateKeys(signatureAlgorithm) {
|
|
88
|
-
const algorithm = CertificateGenerator.getAlgorithm(signatureAlgorithm);
|
|
89
|
-
return setup_crypto_js_1.cryptoProvider.subtle.generateKey(algorithm, true, ['sign', 'verify']);
|
|
90
|
-
}
|
|
91
|
-
/**
|
|
92
|
-
* Generates a Certificate Signing Request (CSR) based on the provided parameters.
|
|
93
|
-
* @param params - Parameters for generating the CSR.
|
|
94
|
-
* @returns The generated CSR in PEM format.
|
|
95
|
-
*/
|
|
96
|
-
static async generateCsr(params) {
|
|
97
|
-
const keys = await CertificateGenerator.getCryptoKeys(params);
|
|
98
|
-
const signingAlgorithm = keys.publicKey.algorithm;
|
|
99
|
-
signingAlgorithm.hash = { name: 'SHA-256' };
|
|
100
|
-
const extensions = [];
|
|
101
|
-
if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
|
|
102
|
-
const generalNames = params.dnsNames.map((dnsName) => ({
|
|
103
|
-
type: ((0, helper_js_1.isIpAddress)(dnsName) ? 'ip' : 'dns'),
|
|
104
|
-
value: dnsName,
|
|
105
|
-
}));
|
|
106
|
-
extensions.push(new x509_1.SubjectAlternativeNameExtension(generalNames));
|
|
107
|
-
}
|
|
108
|
-
if (params.customExtensions?.length) {
|
|
109
|
-
for (const customExtension of params.customExtensions) {
|
|
110
|
-
if (!customExtension.oid || !customExtension.value) {
|
|
111
|
-
throw new Error(`Some custom extension missed OID or value`);
|
|
112
|
-
}
|
|
113
|
-
extensions.push(new x509_1.Extension(customExtension.oid, false, customExtension.value));
|
|
114
|
-
}
|
|
115
|
-
}
|
|
116
|
-
const createCsrParams = {
|
|
117
|
-
name: helper_js_2.CertificatesHelper.serializePrincipalInfo(params.subject),
|
|
118
|
-
keys,
|
|
119
|
-
signingAlgorithm,
|
|
120
|
-
extensions,
|
|
121
|
-
};
|
|
122
|
-
const csr = await x509_1.Pkcs10CertificateRequestGenerator.create(createCsrParams);
|
|
123
|
-
return csr.toString('pem');
|
|
124
|
-
}
|
|
125
|
-
/**
|
|
126
|
-
* Verifies self-signed certificate
|
|
127
|
-
* @param rawCert - the certificate
|
|
128
|
-
* @returns An object containing the verification result.
|
|
129
|
-
*/
|
|
130
|
-
static verifySelfSignedCert(rawCert) {
|
|
131
|
-
const cert = new x509_1.X509Certificate(rawCert);
|
|
132
|
-
if (cert.issuer !== cert.subject) {
|
|
133
|
-
return Promise.resolve({ isValid: false });
|
|
134
|
-
}
|
|
135
|
-
return cert.verify().then((isValid) => ({ isValid }));
|
|
136
|
-
}
|
|
137
|
-
/**
|
|
138
|
-
* Parses a certificate
|
|
139
|
-
* @param rawCert - the certificate
|
|
140
|
-
* @returns An object containing the parsed certificate details.
|
|
141
|
-
*/
|
|
142
|
-
static async parseCert(rawCert) {
|
|
143
|
-
const cert = new x509_1.X509Certificate(rawCert);
|
|
144
|
-
const publicKey = await setup_crypto_js_1.cryptoProvider.subtle.importKey('spki', cert.publicKey.rawData, Object.assign(cert.signatureAlgorithm, cert.publicKey.algorithm), true, ['verify']);
|
|
145
|
-
const authorityKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof x509_1.AuthorityKeyIdentifierExtension);
|
|
146
|
-
const authorityKeyIdentifier = authorityKeyIdentifierExt?.keyId;
|
|
147
|
-
const subjectKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof x509_1.SubjectKeyIdentifierExtension);
|
|
148
|
-
const subjectKeyIdentifier = subjectKeyIdentifierExt?.keyId;
|
|
149
|
-
return {
|
|
150
|
-
serialNumberHex: cert.serialNumber,
|
|
151
|
-
publicKey,
|
|
152
|
-
subject: cert.subject,
|
|
153
|
-
issuer: cert.issuer,
|
|
154
|
-
notBefore: cert.notBefore,
|
|
155
|
-
notAfter: cert.notAfter,
|
|
156
|
-
dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(cert.extensions),
|
|
157
|
-
authorityKeyIdentifier,
|
|
158
|
-
subjectKeyIdentifier,
|
|
159
|
-
extensions: cert.extensions
|
|
160
|
-
.filter((ext) => ext.type !== node_forge_1.default.pki.oids['subjectAltName'])
|
|
161
|
-
.map((ext) => ({
|
|
162
|
-
oid: ext.type,
|
|
163
|
-
value: Buffer.from(ext.value),
|
|
164
|
-
})),
|
|
165
|
-
};
|
|
166
|
-
}
|
|
167
|
-
/**
|
|
168
|
-
* Checks and parses a Certificate Signing Request (CSR) in PEM format.
|
|
169
|
-
* @param csrPem - The CSR in PEM format.
|
|
170
|
-
* @returns An object containing the parsed CSR details.
|
|
171
|
-
*/
|
|
172
|
-
static async checkAndParseCsr(csrPem) {
|
|
173
|
-
const csr = new x509_1.Pkcs10CertificateRequest(csrPem);
|
|
174
|
-
const isValid = await csr.verify();
|
|
175
|
-
if (!isValid) {
|
|
176
|
-
throw new Error('CSR signature verification failed');
|
|
177
|
-
}
|
|
178
|
-
const publicKey = await setup_crypto_js_1.cryptoProvider.subtle.importKey('spki', csr.publicKey.rawData, Object.assign(csr.signatureAlgorithm, csr.publicKey.algorithm), true, ['verify']);
|
|
179
|
-
const parsedCsr = {
|
|
180
|
-
subject: csr.subject,
|
|
181
|
-
publicKey,
|
|
182
|
-
dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(csr.extensions),
|
|
183
|
-
extensions: csr.extensions
|
|
184
|
-
.filter((ext) => ext.type !== node_forge_1.default.pki.oids['subjectAltName'])
|
|
185
|
-
.map((ext) => ({
|
|
186
|
-
oid: ext.type,
|
|
187
|
-
value: Buffer.from(ext.value),
|
|
188
|
-
})),
|
|
189
|
-
};
|
|
190
|
-
return parsedCsr;
|
|
191
|
-
}
|
|
192
|
-
static async getCryptoKeys({ privateKey, publicKey }) {
|
|
193
|
-
const [pubKey, privKey] = await Promise.all([
|
|
194
|
-
typeof publicKey === 'string'
|
|
195
|
-
? CryptoKeysTransformer_js_1.CryptoKeysTransformer.spkiPemToCryptoKey(publicKey)
|
|
196
|
-
: publicKey,
|
|
197
|
-
typeof privateKey === 'string'
|
|
198
|
-
? CryptoKeysTransformer_js_1.CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey)
|
|
199
|
-
: privateKey,
|
|
200
|
-
]);
|
|
201
|
-
assert_1.default.deepEqual(pubKey.algorithm, privKey.algorithm, 'Both keys must have same algorithm defined');
|
|
202
|
-
return { publicKey: pubKey, privateKey: privKey };
|
|
203
|
-
}
|
|
204
|
-
static getAlgorithm(signatureAlgorithm) {
|
|
205
|
-
switch (signatureAlgorithm) {
|
|
206
|
-
case 'RSASSA-PKCS1-SHA256':
|
|
207
|
-
return {
|
|
208
|
-
name: 'RSASSA-PKCS1-v1_5',
|
|
209
|
-
hash: 'SHA-256',
|
|
210
|
-
publicExponent: new Uint8Array([1, 0, 1]), // 65537
|
|
211
|
-
modulusLength: 2048,
|
|
212
|
-
};
|
|
213
|
-
case 'ECDSA-P-256-SHA256':
|
|
214
|
-
return {
|
|
215
|
-
name: 'ECDSA',
|
|
216
|
-
namedCurve: 'P-256',
|
|
217
|
-
};
|
|
218
|
-
case 'ECDSA-secp256k1-SHA256':
|
|
219
|
-
return {
|
|
220
|
-
name: 'ECDSA',
|
|
221
|
-
namedCurve: 'K-256',
|
|
222
|
-
};
|
|
223
|
-
default:
|
|
224
|
-
throw new Error(`Unsupported signature algorithm: ${signatureAlgorithm}`);
|
|
225
|
-
}
|
|
226
|
-
}
|
|
227
|
-
static extractDnsNamesFromExtensions(extensions) {
|
|
228
|
-
const subjectAltNameExt = extensions.find((ext) => ext.type === node_forge_1.default.pki.oids['subjectAltName']);
|
|
229
|
-
if (!subjectAltNameExt) {
|
|
230
|
-
return;
|
|
231
|
-
}
|
|
232
|
-
const dnsNames = subjectAltNameExt.names.items.map((item) => item.value);
|
|
233
|
-
return dnsNames;
|
|
234
|
-
}
|
|
235
|
-
}
|
|
236
|
-
exports.CertificateGenerator = CertificateGenerator;
|
|
237
|
-
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9nZW5lcmF0b3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsb0RBQTRCO0FBQzVCLDREQUErQjtBQUMvQix5Q0FvQndCO0FBVXhCLHVEQUFtRDtBQUNuRCxnRkFBMEU7QUFDMUUsa0RBQWlEO0FBQ2pELDJDQUFpRDtBQUVqRCxNQUFNLFdBQVcsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDLHlCQUF5QjtBQUU3RCxNQUFNLHFDQUFxQyxHQUFHLENBQUMsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLG9CQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7QUFFakYsTUFBYSxvQkFBb0I7SUFDL0I7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLE1BQTBCO1FBQ2xELE1BQU0sRUFBRSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUM7UUFFOUIsTUFBTSxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxVQUFVLEVBQUUsZ0JBQWdCLEVBQUUsR0FDakUsTUFBTSxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDbkQsTUFBTSxnQkFBZ0IsR0FBRyxnQkFBZ0IsQ0FBQyxTQUF5QixDQUFDO1FBRXBFLE1BQU0sVUFBVSxHQUFnQixDQUFDLElBQUksZ0NBQXlCLENBQUMsRUFBRSxFQUFFLFNBQVMsRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRXJGLE1BQU0scUJBQXFCLEdBQXVCLEVBQUUsQ0FBQztRQUVyRCxJQUFJLGdCQUFnQixDQUFDLFVBQVUsS0FBSyxPQUFPLElBQUksTUFBTSxDQUFDLFFBQVEsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUN2RSxNQUFNLFlBQVksR0FBcUIsTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQ3ZFLElBQUksRUFBRSxDQUFDLElBQUEsdUJBQVcsRUFBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQW9CO2dCQUM5RCxLQUFLLEVBQUUsT0FBTzthQUNmLENBQUMsQ0FBQyxDQUFDO1lBQ0osVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLHNDQUErQixDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUM7WUFFbkUscUJBQXFCLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyx1QkFBZ0IsQ0FBQyxVQUFVLEVBQUUsdUJBQWdCLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQztRQUM1RixDQUFDO1FBRUQsSUFBSSxNQUFNLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDdkIscUJBQXFCLENBQUMsSUFBSSxDQUFDLHVCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzNELENBQUM7UUFFRCxJQUFJLE1BQU0sQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUN6QixNQUFNLEVBQUUsT0FBTyxFQUFFLGFBQWEsRUFBRSxHQUFHLE1BQU0sQ0FBQyxhQUFhLENBQUM7WUFDeEQsVUFBVSxDQUFDLElBQUksQ0FDYixJQUFJLG1DQUE0QixDQUFDO2dCQUMvQixJQUFJLEVBQUUsQ0FBQyxPQUFPLENBQUM7Z0JBQ2YsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsRUFBRSxTQUFTLEVBQUUsQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7YUFDekQsQ0FBQyxDQUNILENBQUM7UUFDSixDQUFDO1FBRUQsSUFBSSxxQkFBcUIsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNqQyxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksZ0NBQXlCLENBQUMscUJBQXFCLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQztRQUMvRSxDQUFDO1FBRUQsSUFBSSxhQUFhLEdBQUcsb0JBQWEsQ0FBQyxnQkFBZ0IsR0FBRyxvQkFBYSxDQUFDLGVBQWUsQ0FBQztRQUNuRixJQUFJLE1BQU0sQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNkLGFBQWEsSUFBSSxvQkFBYSxDQUFDLFdBQVcsQ0FBQztRQUM3QyxDQUFDO1FBQ0QsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLHlCQUFrQixDQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRTdELE1BQU0sZUFBZSxHQUNuQixNQUFNLGdEQUFxQixDQUFDLDZCQUE2QixDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDOUUsVUFBVSxDQUFDLElBQUksQ0FDYixHQUFHO1lBQ0QsTUFBTSxzQ0FBK0IsQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDO1lBQzdELE1BQU0sb0NBQTZCLENBQUMsTUFBTSxDQUFDLGdCQUFnQixDQUFDO1NBQzdELENBQ0YsQ0FBQztRQUVGLElBQUksTUFBTSxDQUFDLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLE1BQU0sa0JBQWtCLEdBQUcsTUFBTSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FDdkQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUMscUNBQXFDLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FDbEUsQ0FBQztZQUNGLEtBQUssTUFBTSxlQUFlLElBQUksa0JBQWtCLEVBQUUsQ0FBQztnQkFDakQsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ25ELE1BQU0sSUFBSSxLQUFLLENBQUMsNkNBQTZDLENBQUMsQ0FBQztnQkFDakUsQ0FBQztnQkFDRCxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksZ0JBQVMsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxlQUFlLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztZQUNwRixDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sdUJBQXVCLEdBQWdDO1lBQzNELFlBQVksRUFBRSw4QkFBa0IsQ0FBQyxvQkFBb0IsRUFBRSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7WUFDcEUsTUFBTSxFQUFFLDhCQUFrQixDQUFDLHNCQUFzQixDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUM7WUFDaEUsT0FBTyxFQUFFLDhCQUFrQixDQUFDLHNCQUFzQixDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUM7WUFDbEUsU0FBUyxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxXQUFXLENBQUMsRUFBRSx1REFBdUQ7WUFDdEcsUUFBUSxFQUFFLE1BQU0sQ0FBQyxRQUFRO1lBQ3pCLFNBQVMsRUFBRSxnQkFBZ0I7WUFDM0IsVUFBVSxFQUFFLGdCQUFnQjtZQUM1QixnQkFBZ0I7WUFDaEIsVUFBVTtTQUNYLENBQUM7UUFFRixNQUFNLElBQUksR0FBRyxNQUFNLCtCQUF3QixDQUFDLE1BQU0sQ0FBQyx1QkFBdUIsQ0FBQyxDQUFDO1FBRTVFLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM5QixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxZQUFZLENBQUMsa0JBQXNDO1FBQ3hELE1BQU0sU0FBUyxHQUFHLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1FBQ3hFLE9BQU8sZ0NBQWMsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLFNBQVMsRUFBRSxJQUFJLEVBQUUsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUNoRixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLE1BQXlCO1FBQ2hELE1BQU0sSUFBSSxHQUFHLE1BQU0sb0JBQW9CLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzlELE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxTQUF5QixDQUFDO1FBQ2xFLGdCQUFnQixDQUFDLElBQUksR0FBRyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsQ0FBQztRQUU1QyxNQUFNLFVBQVUsR0FBZ0IsRUFBRSxDQUFDO1FBRW5DLElBQUksZ0JBQWdCLENBQUMsVUFBVSxLQUFLLE9BQU8sSUFBSSxNQUFNLENBQUMsUUFBUSxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3ZFLE1BQU0sWUFBWSxHQUFxQixNQUFNLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDdkUsSUFBSSxFQUFFLENBQUMsSUFBQSx1QkFBVyxFQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBb0I7Z0JBQzlELEtBQUssRUFBRSxPQUFPO2FBQ2YsQ0FBQyxDQUFDLENBQUM7WUFDSixVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksc0NBQStCLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQztRQUNyRSxDQUFDO1FBRUQsSUFBSSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDcEMsS0FBSyxNQUFNLGVBQWUsSUFBSSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDdEQsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ25ELE1BQU0sSUFBSSxLQUFLLENBQUMsMkNBQTJDLENBQUMsQ0FBQztnQkFDL0QsQ0FBQztnQkFDRCxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksZ0JBQVMsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxlQUFlLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztZQUNwRixDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sZUFBZSxHQUF5QztZQUM1RCxJQUFJLEVBQUUsOEJBQWtCLENBQUMsc0JBQXNCLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQztZQUMvRCxJQUFJO1lBQ0osZ0JBQWdCO1lBQ2hCLFVBQVU7U0FDWCxDQUFDO1FBRUYsTUFBTSxHQUFHLEdBQUcsTUFBTSx3Q0FBaUMsQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDLENBQUM7UUFFNUUsT0FBTyxHQUFHLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQzdCLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLG9CQUFvQixDQUFDLE9BQXVCO1FBQ2pELE1BQU0sSUFBSSxHQUFHLElBQUksc0JBQWUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUUxQyxJQUFJLElBQUksQ0FBQyxNQUFNLEtBQUssSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2pDLE9BQU8sT0FBTyxDQUFDLE9BQU8sQ0FBQyxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsQ0FBQyxDQUFDO1FBQzdDLENBQUM7UUFFRCxPQUFPLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUMsRUFBRSxPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDeEQsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxNQUFNLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUF1QjtRQUM1QyxNQUFNLElBQUksR0FBRyxJQUFJLHNCQUFlLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFMUMsTUFBTSxTQUFTLEdBQUcsTUFBTSxnQ0FBYyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3JELE1BQU0sRUFDTixJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sRUFDdEIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsRUFDaEUsSUFBSSxFQUNKLENBQUMsUUFBUSxDQUFDLENBQ1gsQ0FBQztRQUVGLE1BQU0seUJBQXlCLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ3BELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLFlBQVksc0NBQStCLENBQ1QsQ0FBQztRQUNqRCxNQUFNLHNCQUFzQixHQUFHLHlCQUF5QixFQUFFLEtBQUssQ0FBQztRQUVoRSxNQUFNLHVCQUF1QixHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUNsRCxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxZQUFZLG9DQUE2QixDQUNULENBQUM7UUFDL0MsTUFBTSxvQkFBb0IsR0FBRyx1QkFBdUIsRUFBRSxLQUFLLENBQUM7UUFFNUQsT0FBTztZQUNMLGVBQWUsRUFBRSxJQUFJLENBQUMsWUFBWTtZQUNsQyxTQUFTO1lBQ1QsT0FBTyxFQUFFLElBQUksQ0FBQyxPQUFPO1lBQ3JCLE1BQU0sRUFBRSxJQUFJLENBQUMsTUFBTTtZQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7WUFDekIsUUFBUSxFQUFFLElBQUksQ0FBQyxRQUFRO1lBQ3ZCLFFBQVEsRUFBRSxvQkFBb0IsQ0FBQyw2QkFBNkIsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDO1lBQzdFLHNCQUFzQjtZQUN0QixvQkFBb0I7WUFDcEIsVUFBVSxFQUFFLElBQUksQ0FBQyxVQUFVO2lCQUN4QixNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEtBQUssb0JBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7aUJBQzlELEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDYixHQUFHLEVBQUUsR0FBRyxDQUFDLElBQUk7Z0JBQ2IsS0FBSyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQzthQUM5QixDQUFDLENBQUM7U0FDTixDQUFDO0lBQ0osQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxNQUFNLENBQUMsS0FBSyxDQUFDLGdCQUFnQixDQUFDLE1BQWM7UUFDMUMsTUFBTSxHQUFHLEdBQUcsSUFBSSwrQkFBd0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUVqRCxNQUFNLE9BQU8sR0FBRyxNQUFNLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNuQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDYixNQUFNLElBQUksS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7UUFDdkQsQ0FBQztRQUVELE1BQU0sU0FBUyxHQUFHLE1BQU0sZ0NBQWMsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUNyRCxNQUFNLEVBQ04sR0FBRyxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQ3JCLE1BQU0sQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLGtCQUFrQixFQUFFLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLEVBQzlELElBQUksRUFDSixDQUFDLFFBQVEsQ0FBQyxDQUNYLENBQUM7UUFFRixNQUFNLFNBQVMsR0FBYztZQUMzQixPQUFPLEVBQUUsR0FBRyxDQUFDLE9BQU87WUFDcEIsU0FBUztZQUNULFFBQVEsRUFBRSxvQkFBb0IsQ0FBQyw2QkFBNkIsQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDO1lBQzVFLFVBQVUsRUFBRSxHQUFHLENBQUMsVUFBVTtpQkFDdkIsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLG9CQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO2lCQUM5RCxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQ2IsR0FBRyxFQUFFLEdBQUcsQ0FBQyxJQUFJO2dCQUNiLEtBQUssRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUM7YUFDOUIsQ0FBQyxDQUFDO1NBQ04sQ0FBQztRQUVGLE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLGFBQWEsQ0FBQyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQW1CO1FBSTNFLE1BQU0sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO1lBQzFDLE9BQU8sU0FBUyxLQUFLLFFBQVE7Z0JBQzNCLENBQUMsQ0FBQyxnREFBcUIsQ0FBQyxrQkFBa0IsQ0FBQyxTQUFTLENBQUM7Z0JBQ3JELENBQUMsQ0FBQyxTQUFTO1lBQ2IsT0FBTyxVQUFVLEtBQUssUUFBUTtnQkFDNUIsQ0FBQyxDQUFDLGdEQUFxQixDQUFDLG1CQUFtQixDQUFDLFVBQVUsQ0FBQztnQkFDdkQsQ0FBQyxDQUFDLFVBQVU7U0FDZixDQUFDLENBQUM7UUFFSCxnQkFBTSxDQUFDLFNBQVMsQ0FDZCxNQUFNLENBQUMsU0FBUyxFQUNoQixPQUFPLENBQUMsU0FBUyxFQUNqQiw0Q0FBNEMsQ0FDN0MsQ0FBQztRQUVGLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxPQUFPLEVBQUUsQ0FBQztJQUNwRCxDQUFDO0lBRU8sTUFBTSxDQUFDLFlBQVksQ0FBQyxrQkFBMEI7UUFDcEQsUUFBUSxrQkFBa0IsRUFBRSxDQUFDO1lBQzNCLEtBQUsscUJBQXFCO2dCQUN4QixPQUFPO29CQUNMLElBQUksRUFBRSxtQkFBbUI7b0JBQ3pCLElBQUksRUFBRSxTQUFTO29CQUNmLGNBQWMsRUFBRSxJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxRQUFRO29CQUNuRCxhQUFhLEVBQUUsSUFBSTtpQkFDcEIsQ0FBQztZQUNKLEtBQUssb0JBQW9CO2dCQUN2QixPQUFPO29CQUNMLElBQUksRUFBRSxPQUFPO29CQUNiLFVBQVUsRUFBRSxPQUFPO2lCQUNwQixDQUFDO1lBQ0osS0FBSyx3QkFBd0I7Z0JBQzNCLE9BQU87b0JBQ0wsSUFBSSxFQUFFLE9BQU87b0JBQ2IsVUFBVSxFQUFFLE9BQU87aUJBQ3BCLENBQUM7WUFDSjtnQkFDRSxNQUFNLElBQUksS0FBSyxDQUFDLG9DQUFvQyxrQkFBa0IsRUFBRSxDQUFDLENBQUM7UUFDOUUsQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsNkJBQTZCLENBQUMsVUFBdUI7UUFDbEUsTUFBTSxpQkFBaUIsR0FBRyxVQUFVLENBQUMsSUFBSSxDQUN2QyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLElBQUksS0FBSyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FDUixDQUFDO1FBQ2pELElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQ3ZCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxRQUFRLEdBQUcsaUJBQWlCLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN6RSxPQUFPLFFBQVEsQ0FBQztJQUNsQixDQUFDO0NBQ0Y7QUFyU0Qsb0RBcVNDIn0=
|
|
@@ -1,230 +0,0 @@
|
|
|
1
|
-
import assert from 'assert';
|
|
2
|
-
import forge from 'node-forge';
|
|
3
|
-
import { X509CertificateGenerator, BasicConstraintsExtension, ExtendedKeyUsageExtension, Extension, SubjectAlternativeNameExtension, ExtendedKeyUsage, KeyUsageFlags, KeyUsagesExtension, Pkcs10CertificateRequestGenerator, Pkcs10CertificateRequest, X509Certificate, AuthorityInfoAccessExtension, AuthorityKeyIdentifierExtension, SubjectKeyIdentifierExtension, } from '@peculiar/x509';
|
|
4
|
-
import { cryptoProvider } from './setup-crypto.js';
|
|
5
|
-
import { CryptoKeysTransformer } from '../utils/CryptoKeysTransformer.js';
|
|
6
|
-
import { isIpAddress } from '../utils/helper.js';
|
|
7
|
-
import { CertificatesHelper } from './helper.js';
|
|
8
|
-
const ONE_HOUR_MS = 60 * 60 * 1000; // 1 hour in milliseconds
|
|
9
|
-
const notAllowedCertificateCustomExtensions = [...Object.values(forge.pki.oids)];
|
|
10
|
-
export class CertificateGenerator {
|
|
11
|
-
/**
|
|
12
|
-
* Generates certificate based on the provided parameters.
|
|
13
|
-
* @param params - Parameters for generating the certificate.
|
|
14
|
-
* @returns The generated certificate in PEM format.
|
|
15
|
-
*/
|
|
16
|
-
static async generateCert(params) {
|
|
17
|
-
const ca = Boolean(params.ca);
|
|
18
|
-
const { publicKey: subjectPublicKey, privateKey: signerPrivateKey } = await CertificateGenerator.getCryptoKeys(params);
|
|
19
|
-
const signingAlgorithm = subjectPublicKey.algorithm;
|
|
20
|
-
const extensions = [new BasicConstraintsExtension(ca, undefined, true)];
|
|
21
|
-
const extendedKeyUsageItems = [];
|
|
22
|
-
if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
|
|
23
|
-
const generalNames = params.dnsNames.map((dnsName) => ({
|
|
24
|
-
type: (isIpAddress(dnsName) ? 'ip' : 'dns'),
|
|
25
|
-
value: dnsName,
|
|
26
|
-
}));
|
|
27
|
-
extensions.push(new SubjectAlternativeNameExtension(generalNames));
|
|
28
|
-
extendedKeyUsageItems.push(...[ExtendedKeyUsage.serverAuth, ExtendedKeyUsage.clientAuth]);
|
|
29
|
-
}
|
|
30
|
-
if (params.ocspSigning) {
|
|
31
|
-
extendedKeyUsageItems.push(ExtendedKeyUsage.ocspSigning);
|
|
32
|
-
}
|
|
33
|
-
if (params.ocspExtension) {
|
|
34
|
-
const { ocspUrl, issuerCertUrl } = params.ocspExtension;
|
|
35
|
-
extensions.push(new AuthorityInfoAccessExtension({
|
|
36
|
-
ocsp: [ocspUrl],
|
|
37
|
-
...(issuerCertUrl ? { caIssuers: [issuerCertUrl] } : {}),
|
|
38
|
-
}));
|
|
39
|
-
}
|
|
40
|
-
if (extendedKeyUsageItems.length) {
|
|
41
|
-
extensions.push(new ExtendedKeyUsageExtension(extendedKeyUsageItems, false));
|
|
42
|
-
}
|
|
43
|
-
let keyUsageFlags = KeyUsageFlags.digitalSignature | KeyUsageFlags.keyEncipherment;
|
|
44
|
-
if (params.ca) {
|
|
45
|
-
keyUsageFlags |= KeyUsageFlags.keyCertSign;
|
|
46
|
-
}
|
|
47
|
-
extensions.push(new KeyUsagesExtension(keyUsageFlags, true));
|
|
48
|
-
const signerPublicKey = await CryptoKeysTransformer.cryptoPublicFromCryptoPrivate(signerPrivateKey);
|
|
49
|
-
extensions.push(...[
|
|
50
|
-
await AuthorityKeyIdentifierExtension.create(signerPublicKey),
|
|
51
|
-
await SubjectKeyIdentifierExtension.create(subjectPublicKey),
|
|
52
|
-
]);
|
|
53
|
-
if (params.customExtensions?.length) {
|
|
54
|
-
const filteredExtensions = params.customExtensions.filter((ext) => !notAllowedCertificateCustomExtensions.includes(ext.oid));
|
|
55
|
-
for (const customExtension of filteredExtensions) {
|
|
56
|
-
if (!customExtension.oid || !customExtension.value) {
|
|
57
|
-
throw new Error('Custom extension OID and value are required');
|
|
58
|
-
}
|
|
59
|
-
extensions.push(new Extension(customExtension.oid, false, customExtension.value));
|
|
60
|
-
}
|
|
61
|
-
}
|
|
62
|
-
const createCertificateParams = {
|
|
63
|
-
serialNumber: CertificatesHelper.generateSerialNumber().toString(16),
|
|
64
|
-
issuer: CertificatesHelper.serializePrincipalInfo(params.issuer),
|
|
65
|
-
subject: CertificatesHelper.serializePrincipalInfo(params.subject),
|
|
66
|
-
notBefore: new Date(Date.now() - ONE_HOUR_MS), //1 hour ago to avoid clock skew issues between servers
|
|
67
|
-
notAfter: params.notAfter,
|
|
68
|
-
publicKey: subjectPublicKey,
|
|
69
|
-
signingKey: signerPrivateKey,
|
|
70
|
-
signingAlgorithm,
|
|
71
|
-
extensions,
|
|
72
|
-
};
|
|
73
|
-
const cert = await X509CertificateGenerator.create(createCertificateParams);
|
|
74
|
-
return cert.toString('pem');
|
|
75
|
-
}
|
|
76
|
-
/**
|
|
77
|
-
* Generates a pair of cryptographic keys based on the specified signature algorithm.
|
|
78
|
-
* @param signatureAlgorithm - The algorithm to use for key generation.
|
|
79
|
-
* @returns A promise that resolves to a CryptoKeyPair containing the public and private keys.
|
|
80
|
-
*/
|
|
81
|
-
static generateKeys(signatureAlgorithm) {
|
|
82
|
-
const algorithm = CertificateGenerator.getAlgorithm(signatureAlgorithm);
|
|
83
|
-
return cryptoProvider.subtle.generateKey(algorithm, true, ['sign', 'verify']);
|
|
84
|
-
}
|
|
85
|
-
/**
|
|
86
|
-
* Generates a Certificate Signing Request (CSR) based on the provided parameters.
|
|
87
|
-
* @param params - Parameters for generating the CSR.
|
|
88
|
-
* @returns The generated CSR in PEM format.
|
|
89
|
-
*/
|
|
90
|
-
static async generateCsr(params) {
|
|
91
|
-
const keys = await CertificateGenerator.getCryptoKeys(params);
|
|
92
|
-
const signingAlgorithm = keys.publicKey.algorithm;
|
|
93
|
-
signingAlgorithm.hash = { name: 'SHA-256' };
|
|
94
|
-
const extensions = [];
|
|
95
|
-
if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
|
|
96
|
-
const generalNames = params.dnsNames.map((dnsName) => ({
|
|
97
|
-
type: (isIpAddress(dnsName) ? 'ip' : 'dns'),
|
|
98
|
-
value: dnsName,
|
|
99
|
-
}));
|
|
100
|
-
extensions.push(new SubjectAlternativeNameExtension(generalNames));
|
|
101
|
-
}
|
|
102
|
-
if (params.customExtensions?.length) {
|
|
103
|
-
for (const customExtension of params.customExtensions) {
|
|
104
|
-
if (!customExtension.oid || !customExtension.value) {
|
|
105
|
-
throw new Error(`Some custom extension missed OID or value`);
|
|
106
|
-
}
|
|
107
|
-
extensions.push(new Extension(customExtension.oid, false, customExtension.value));
|
|
108
|
-
}
|
|
109
|
-
}
|
|
110
|
-
const createCsrParams = {
|
|
111
|
-
name: CertificatesHelper.serializePrincipalInfo(params.subject),
|
|
112
|
-
keys,
|
|
113
|
-
signingAlgorithm,
|
|
114
|
-
extensions,
|
|
115
|
-
};
|
|
116
|
-
const csr = await Pkcs10CertificateRequestGenerator.create(createCsrParams);
|
|
117
|
-
return csr.toString('pem');
|
|
118
|
-
}
|
|
119
|
-
/**
|
|
120
|
-
* Verifies self-signed certificate
|
|
121
|
-
* @param rawCert - the certificate
|
|
122
|
-
* @returns An object containing the verification result.
|
|
123
|
-
*/
|
|
124
|
-
static verifySelfSignedCert(rawCert) {
|
|
125
|
-
const cert = new X509Certificate(rawCert);
|
|
126
|
-
if (cert.issuer !== cert.subject) {
|
|
127
|
-
return Promise.resolve({ isValid: false });
|
|
128
|
-
}
|
|
129
|
-
return cert.verify().then((isValid) => ({ isValid }));
|
|
130
|
-
}
|
|
131
|
-
/**
|
|
132
|
-
* Parses a certificate
|
|
133
|
-
* @param rawCert - the certificate
|
|
134
|
-
* @returns An object containing the parsed certificate details.
|
|
135
|
-
*/
|
|
136
|
-
static async parseCert(rawCert) {
|
|
137
|
-
const cert = new X509Certificate(rawCert);
|
|
138
|
-
const publicKey = await cryptoProvider.subtle.importKey('spki', cert.publicKey.rawData, Object.assign(cert.signatureAlgorithm, cert.publicKey.algorithm), true, ['verify']);
|
|
139
|
-
const authorityKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof AuthorityKeyIdentifierExtension);
|
|
140
|
-
const authorityKeyIdentifier = authorityKeyIdentifierExt?.keyId;
|
|
141
|
-
const subjectKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof SubjectKeyIdentifierExtension);
|
|
142
|
-
const subjectKeyIdentifier = subjectKeyIdentifierExt?.keyId;
|
|
143
|
-
return {
|
|
144
|
-
serialNumberHex: cert.serialNumber,
|
|
145
|
-
publicKey,
|
|
146
|
-
subject: cert.subject,
|
|
147
|
-
issuer: cert.issuer,
|
|
148
|
-
notBefore: cert.notBefore,
|
|
149
|
-
notAfter: cert.notAfter,
|
|
150
|
-
dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(cert.extensions),
|
|
151
|
-
authorityKeyIdentifier,
|
|
152
|
-
subjectKeyIdentifier,
|
|
153
|
-
extensions: cert.extensions
|
|
154
|
-
.filter((ext) => ext.type !== forge.pki.oids['subjectAltName'])
|
|
155
|
-
.map((ext) => ({
|
|
156
|
-
oid: ext.type,
|
|
157
|
-
value: Buffer.from(ext.value),
|
|
158
|
-
})),
|
|
159
|
-
};
|
|
160
|
-
}
|
|
161
|
-
/**
|
|
162
|
-
* Checks and parses a Certificate Signing Request (CSR) in PEM format.
|
|
163
|
-
* @param csrPem - The CSR in PEM format.
|
|
164
|
-
* @returns An object containing the parsed CSR details.
|
|
165
|
-
*/
|
|
166
|
-
static async checkAndParseCsr(csrPem) {
|
|
167
|
-
const csr = new Pkcs10CertificateRequest(csrPem);
|
|
168
|
-
const isValid = await csr.verify();
|
|
169
|
-
if (!isValid) {
|
|
170
|
-
throw new Error('CSR signature verification failed');
|
|
171
|
-
}
|
|
172
|
-
const publicKey = await cryptoProvider.subtle.importKey('spki', csr.publicKey.rawData, Object.assign(csr.signatureAlgorithm, csr.publicKey.algorithm), true, ['verify']);
|
|
173
|
-
const parsedCsr = {
|
|
174
|
-
subject: csr.subject,
|
|
175
|
-
publicKey,
|
|
176
|
-
dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(csr.extensions),
|
|
177
|
-
extensions: csr.extensions
|
|
178
|
-
.filter((ext) => ext.type !== forge.pki.oids['subjectAltName'])
|
|
179
|
-
.map((ext) => ({
|
|
180
|
-
oid: ext.type,
|
|
181
|
-
value: Buffer.from(ext.value),
|
|
182
|
-
})),
|
|
183
|
-
};
|
|
184
|
-
return parsedCsr;
|
|
185
|
-
}
|
|
186
|
-
static async getCryptoKeys({ privateKey, publicKey }) {
|
|
187
|
-
const [pubKey, privKey] = await Promise.all([
|
|
188
|
-
typeof publicKey === 'string'
|
|
189
|
-
? CryptoKeysTransformer.spkiPemToCryptoKey(publicKey)
|
|
190
|
-
: publicKey,
|
|
191
|
-
typeof privateKey === 'string'
|
|
192
|
-
? CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey)
|
|
193
|
-
: privateKey,
|
|
194
|
-
]);
|
|
195
|
-
assert.deepEqual(pubKey.algorithm, privKey.algorithm, 'Both keys must have same algorithm defined');
|
|
196
|
-
return { publicKey: pubKey, privateKey: privKey };
|
|
197
|
-
}
|
|
198
|
-
static getAlgorithm(signatureAlgorithm) {
|
|
199
|
-
switch (signatureAlgorithm) {
|
|
200
|
-
case 'RSASSA-PKCS1-SHA256':
|
|
201
|
-
return {
|
|
202
|
-
name: 'RSASSA-PKCS1-v1_5',
|
|
203
|
-
hash: 'SHA-256',
|
|
204
|
-
publicExponent: new Uint8Array([1, 0, 1]), // 65537
|
|
205
|
-
modulusLength: 2048,
|
|
206
|
-
};
|
|
207
|
-
case 'ECDSA-P-256-SHA256':
|
|
208
|
-
return {
|
|
209
|
-
name: 'ECDSA',
|
|
210
|
-
namedCurve: 'P-256',
|
|
211
|
-
};
|
|
212
|
-
case 'ECDSA-secp256k1-SHA256':
|
|
213
|
-
return {
|
|
214
|
-
name: 'ECDSA',
|
|
215
|
-
namedCurve: 'K-256',
|
|
216
|
-
};
|
|
217
|
-
default:
|
|
218
|
-
throw new Error(`Unsupported signature algorithm: ${signatureAlgorithm}`);
|
|
219
|
-
}
|
|
220
|
-
}
|
|
221
|
-
static extractDnsNamesFromExtensions(extensions) {
|
|
222
|
-
const subjectAltNameExt = extensions.find((ext) => ext.type === forge.pki.oids['subjectAltName']);
|
|
223
|
-
if (!subjectAltNameExt) {
|
|
224
|
-
return;
|
|
225
|
-
}
|
|
226
|
-
const dnsNames = subjectAltNameExt.names.items.map((item) => item.value);
|
|
227
|
-
return dnsNames;
|
|
228
|
-
}
|
|
229
|
-
}
|
|
230
|
-
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9nZW5lcmF0b3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQzVCLE9BQU8sS0FBSyxNQUFNLFlBQVksQ0FBQztBQUMvQixPQUFPLEVBRUwsd0JBQXdCLEVBQ3hCLHlCQUF5QixFQUN6Qix5QkFBeUIsRUFDekIsU0FBUyxFQUNULCtCQUErQixFQUcvQixnQkFBZ0IsRUFDaEIsYUFBYSxFQUNiLGtCQUFrQixFQUNsQixpQ0FBaUMsRUFFakMsd0JBQXdCLEVBQ3hCLGVBQWUsRUFDZiw0QkFBNEIsRUFDNUIsK0JBQStCLEVBQy9CLDZCQUE2QixHQUU5QixNQUFNLGdCQUFnQixDQUFDO0FBVXhCLE9BQU8sRUFBRSxjQUFjLEVBQUUsTUFBTSxtQkFBbUIsQ0FBQztBQUNuRCxPQUFPLEVBQUUscUJBQXFCLEVBQUUsTUFBTSxtQ0FBbUMsQ0FBQztBQUMxRSxPQUFPLEVBQUUsV0FBVyxFQUFFLE1BQU0sb0JBQW9CLENBQUM7QUFDakQsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRWpELE1BQU0sV0FBVyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUMseUJBQXlCO0FBRTdELE1BQU0scUNBQXFDLEdBQUcsQ0FBQyxHQUFHLE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO0FBRWpGLE1BQU0sT0FBTyxvQkFBb0I7SUFDL0I7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLE1BQTBCO1FBQ2xELE1BQU0sRUFBRSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUM7UUFFOUIsTUFBTSxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxVQUFVLEVBQUUsZ0JBQWdCLEVBQUUsR0FDakUsTUFBTSxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDbkQsTUFBTSxnQkFBZ0IsR0FBRyxnQkFBZ0IsQ0FBQyxTQUF5QixDQUFDO1FBRXBFLE1BQU0sVUFBVSxHQUFnQixDQUFDLElBQUkseUJBQXlCLENBQUMsRUFBRSxFQUFFLFNBQVMsRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRXJGLE1BQU0scUJBQXFCLEdBQXVCLEVBQUUsQ0FBQztRQUVyRCxJQUFJLGdCQUFnQixDQUFDLFVBQVUsS0FBSyxPQUFPLElBQUksTUFBTSxDQUFDLFFBQVEsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUN2RSxNQUFNLFlBQVksR0FBcUIsTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQ3ZFLElBQUksRUFBRSxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQW9CO2dCQUM5RCxLQUFLLEVBQUUsT0FBTzthQUNmLENBQUMsQ0FBQyxDQUFDO1lBQ0osVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLCtCQUErQixDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUM7WUFFbkUscUJBQXFCLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQztRQUM1RixDQUFDO1FBRUQsSUFBSSxNQUFNLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDdkIscUJBQXFCLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzNELENBQUM7UUFFRCxJQUFJLE1BQU0sQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUN6QixNQUFNLEVBQUUsT0FBTyxFQUFFLGFBQWEsRUFBRSxHQUFHLE1BQU0sQ0FBQyxhQUFhLENBQUM7WUFDeEQsVUFBVSxDQUFDLElBQUksQ0FDYixJQUFJLDRCQUE0QixDQUFDO2dCQUMvQixJQUFJLEVBQUUsQ0FBQyxPQUFPLENBQUM7Z0JBQ2YsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsRUFBRSxTQUFTLEVBQUUsQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7YUFDekQsQ0FBQyxDQUNILENBQUM7UUFDSixDQUFDO1FBRUQsSUFBSSxxQkFBcUIsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNqQyxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUkseUJBQXlCLENBQUMscUJBQXFCLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQztRQUMvRSxDQUFDO1FBRUQsSUFBSSxhQUFhLEdBQUcsYUFBYSxDQUFDLGdCQUFnQixHQUFHLGFBQWEsQ0FBQyxlQUFlLENBQUM7UUFDbkYsSUFBSSxNQUFNLENBQUMsRUFBRSxFQUFFLENBQUM7WUFDZCxhQUFhLElBQUksYUFBYSxDQUFDLFdBQVcsQ0FBQztRQUM3QyxDQUFDO1FBQ0QsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLGtCQUFrQixDQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRTdELE1BQU0sZUFBZSxHQUNuQixNQUFNLHFCQUFxQixDQUFDLDZCQUE2QixDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDOUUsVUFBVSxDQUFDLElBQUksQ0FDYixHQUFHO1lBQ0QsTUFBTSwrQkFBK0IsQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDO1lBQzdELE1BQU0sNkJBQTZCLENBQUMsTUFBTSxDQUFDLGdCQUFnQixDQUFDO1NBQzdELENBQ0YsQ0FBQztRQUVGLElBQUksTUFBTSxDQUFDLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLE1BQU0sa0JBQWtCLEdBQUcsTUFBTSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FDdkQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUMscUNBQXFDLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FDbEUsQ0FBQztZQUNGLEtBQUssTUFBTSxlQUFlLElBQUksa0JBQWtCLEVBQUUsQ0FBQztnQkFDakQsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ25ELE1BQU0sSUFBSSxLQUFLLENBQUMsNkNBQTZDLENBQUMsQ0FBQztnQkFDakUsQ0FBQztnQkFDRCxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksU0FBUyxDQUFDLGVBQWUsQ0FBQyxHQUFHLEVBQUUsS0FBSyxFQUFFLGVBQWUsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDO1lBQ3BGLENBQUM7UUFDSCxDQUFDO1FBRUQsTUFBTSx1QkFBdUIsR0FBZ0M7WUFDM0QsWUFBWSxFQUFFLGtCQUFrQixDQUFDLG9CQUFvQixFQUFFLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUNwRSxNQUFNLEVBQUUsa0JBQWtCLENBQUMsc0JBQXNCLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQztZQUNoRSxPQUFPLEVBQUUsa0JBQWtCLENBQUMsc0JBQXNCLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQztZQUNsRSxTQUFTLEVBQUUsSUFBSSxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFHLFdBQVcsQ0FBQyxFQUFFLHVEQUF1RDtZQUN0RyxRQUFRLEVBQUUsTUFBTSxDQUFDLFFBQVE7WUFDekIsU0FBUyxFQUFFLGdCQUFnQjtZQUMzQixVQUFVLEVBQUUsZ0JBQWdCO1lBQzVCLGdCQUFnQjtZQUNoQixVQUFVO1NBQ1gsQ0FBQztRQUVGLE1BQU0sSUFBSSxHQUFHLE1BQU0sd0JBQXdCLENBQUMsTUFBTSxDQUFDLHVCQUF1QixDQUFDLENBQUM7UUFFNUUsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQzlCLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLFlBQVksQ0FBQyxrQkFBc0M7UUFDeEQsTUFBTSxTQUFTLEdBQUcsb0JBQW9CLENBQUMsWUFBWSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDeEUsT0FBTyxjQUFjLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxTQUFTLEVBQUUsSUFBSSxFQUFFLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDLENBQUM7SUFDaEYsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxNQUFNLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBQyxNQUF5QjtRQUNoRCxNQUFNLElBQUksR0FBRyxNQUFNLG9CQUFvQixDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUM5RCxNQUFNLGdCQUFnQixHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBeUIsQ0FBQztRQUNsRSxnQkFBZ0IsQ0FBQyxJQUFJLEdBQUcsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLENBQUM7UUFFNUMsTUFBTSxVQUFVLEdBQWdCLEVBQUUsQ0FBQztRQUVuQyxJQUFJLGdCQUFnQixDQUFDLFVBQVUsS0FBSyxPQUFPLElBQUksTUFBTSxDQUFDLFFBQVEsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUN2RSxNQUFNLFlBQVksR0FBcUIsTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQ3ZFLElBQUksRUFBRSxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQW9CO2dCQUM5RCxLQUFLLEVBQUUsT0FBTzthQUNmLENBQUMsQ0FBQyxDQUFDO1lBQ0osVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLCtCQUErQixDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUM7UUFDckUsQ0FBQztRQUVELElBQUksTUFBTSxDQUFDLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLEtBQUssTUFBTSxlQUFlLElBQUksTUFBTSxDQUFDLGdCQUFnQixFQUFFLENBQUM7Z0JBQ3RELElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssRUFBRSxDQUFDO29CQUNuRCxNQUFNLElBQUksS0FBSyxDQUFDLDJDQUEyQyxDQUFDLENBQUM7Z0JBQy9ELENBQUM7Z0JBQ0QsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLFNBQVMsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxlQUFlLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztZQUNwRixDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sZUFBZSxHQUF5QztZQUM1RCxJQUFJLEVBQUUsa0JBQWtCLENBQUMsc0JBQXNCLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQztZQUMvRCxJQUFJO1lBQ0osZ0JBQWdCO1lBQ2hCLFVBQVU7U0FDWCxDQUFDO1FBRUYsTUFBTSxHQUFHLEdBQUcsTUFBTSxpQ0FBaUMsQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDLENBQUM7UUFFNUUsT0FBTyxHQUFHLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQzdCLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLG9CQUFvQixDQUFDLE9BQXVCO1FBQ2pELE1BQU0sSUFBSSxHQUFHLElBQUksZUFBZSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRTFDLElBQUksSUFBSSxDQUFDLE1BQU0sS0FBSyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDakMsT0FBTyxPQUFPLENBQUMsT0FBTyxDQUFDLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxDQUFDLENBQUM7UUFDN0MsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQyxFQUFFLE9BQU8sRUFBRSxDQUFDLENBQUMsQ0FBQztJQUN4RCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQXVCO1FBQzVDLE1BQU0sSUFBSSxHQUFHLElBQUksZUFBZSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRTFDLE1BQU0sU0FBUyxHQUFHLE1BQU0sY0FBYyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3JELE1BQU0sRUFDTixJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sRUFDdEIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsRUFDaEUsSUFBSSxFQUNKLENBQUMsUUFBUSxDQUFDLENBQ1gsQ0FBQztRQUVGLE1BQU0seUJBQXlCLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ3BELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLFlBQVksK0JBQStCLENBQ1QsQ0FBQztRQUNqRCxNQUFNLHNCQUFzQixHQUFHLHlCQUF5QixFQUFFLEtBQUssQ0FBQztRQUVoRSxNQUFNLHVCQUF1QixHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUNsRCxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxZQUFZLDZCQUE2QixDQUNULENBQUM7UUFDL0MsTUFBTSxvQkFBb0IsR0FBRyx1QkFBdUIsRUFBRSxLQUFLLENBQUM7UUFFNUQsT0FBTztZQUNMLGVBQWUsRUFBRSxJQUFJLENBQUMsWUFBWTtZQUNsQyxTQUFTO1lBQ1QsT0FBTyxFQUFFLElBQUksQ0FBQyxPQUFPO1lBQ3JCLE1BQU0sRUFBRSxJQUFJLENBQUMsTUFBTTtZQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7WUFDekIsUUFBUSxFQUFFLElBQUksQ0FBQyxRQUFRO1lBQ3ZCLFFBQVEsRUFBRSxvQkFBb0IsQ0FBQyw2QkFBNkIsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDO1lBQzdFLHNCQUFzQjtZQUN0QixvQkFBb0I7WUFDcEIsVUFBVSxFQUFFLElBQUksQ0FBQyxVQUFVO2lCQUN4QixNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEtBQUssS0FBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztpQkFDOUQsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUNiLEdBQUcsRUFBRSxHQUFHLENBQUMsSUFBSTtnQkFDYixLQUFLLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDO2FBQzlCLENBQUMsQ0FBQztTQUNOLENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsZ0JBQWdCLENBQUMsTUFBYztRQUMxQyxNQUFNLEdBQUcsR0FBRyxJQUFJLHdCQUF3QixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRWpELE1BQU0sT0FBTyxHQUFHLE1BQU0sR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ25DLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUMsQ0FBQztRQUN2RCxDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsTUFBTSxjQUFjLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDckQsTUFBTSxFQUNOLEdBQUcsQ0FBQyxTQUFTLENBQUMsT0FBTyxFQUNyQixNQUFNLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxrQkFBa0IsRUFBRSxHQUFHLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxFQUM5RCxJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBRUYsTUFBTSxTQUFTLEdBQWM7WUFDM0IsT0FBTyxFQUFFLEdBQUcsQ0FBQyxPQUFPO1lBQ3BCLFNBQVM7WUFDVCxRQUFRLEVBQUUsb0JBQW9CLENBQUMsNkJBQTZCLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQztZQUM1RSxVQUFVLEVBQUUsR0FBRyxDQUFDLFVBQVU7aUJBQ3ZCLE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLElBQUksS0FBSyxLQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO2lCQUM5RCxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQ2IsR0FBRyxFQUFFLEdBQUcsQ0FBQyxJQUFJO2dCQUNiLEtBQUssRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUM7YUFDOUIsQ0FBQyxDQUFDO1NBQ04sQ0FBQztRQUVGLE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLGFBQWEsQ0FBQyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQW1CO1FBSTNFLE1BQU0sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO1lBQzFDLE9BQU8sU0FBUyxLQUFLLFFBQVE7Z0JBQzNCLENBQUMsQ0FBQyxxQkFBcUIsQ0FBQyxrQkFBa0IsQ0FBQyxTQUFTLENBQUM7Z0JBQ3JELENBQUMsQ0FBQyxTQUFTO1lBQ2IsT0FBTyxVQUFVLEtBQUssUUFBUTtnQkFDNUIsQ0FBQyxDQUFDLHFCQUFxQixDQUFDLG1CQUFtQixDQUFDLFVBQVUsQ0FBQztnQkFDdkQsQ0FBQyxDQUFDLFVBQVU7U0FDZixDQUFDLENBQUM7UUFFSCxNQUFNLENBQUMsU0FBUyxDQUNkLE1BQU0sQ0FBQyxTQUFTLEVBQ2hCLE9BQU8sQ0FBQyxTQUFTLEVBQ2pCLDRDQUE0QyxDQUM3QyxDQUFDO1FBRUYsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsVUFBVSxFQUFFLE9BQU8sRUFBRSxDQUFDO0lBQ3BELENBQUM7SUFFTyxNQUFNLENBQUMsWUFBWSxDQUFDLGtCQUEwQjtRQUNwRCxRQUFRLGtCQUFrQixFQUFFLENBQUM7WUFDM0IsS0FBSyxxQkFBcUI7Z0JBQ3hCLE9BQU87b0JBQ0wsSUFBSSxFQUFFLG1CQUFtQjtvQkFDekIsSUFBSSxFQUFFLFNBQVM7b0JBQ2YsY0FBYyxFQUFFLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLFFBQVE7b0JBQ25ELGFBQWEsRUFBRSxJQUFJO2lCQUNwQixDQUFDO1lBQ0osS0FBSyxvQkFBb0I7Z0JBQ3ZCLE9BQU87b0JBQ0wsSUFBSSxFQUFFLE9BQU87b0JBQ2IsVUFBVSxFQUFFLE9BQU87aUJBQ3BCLENBQUM7WUFDSixLQUFLLHdCQUF3QjtnQkFDM0IsT0FBTztvQkFDTCxJQUFJLEVBQUUsT0FBTztvQkFDYixVQUFVLEVBQUUsT0FBTztpQkFDcEIsQ0FBQztZQUNKO2dCQUNFLE1BQU0sSUFBSSxLQUFLLENBQUMsb0NBQW9DLGtCQUFrQixFQUFFLENBQUMsQ0FBQztRQUM5RSxDQUFDO0lBQ0gsQ0FBQztJQUVPLE1BQU0sQ0FBQyw2QkFBNkIsQ0FBQyxVQUF1QjtRQUNsRSxNQUFNLGlCQUFpQixHQUFHLFVBQVUsQ0FBQyxJQUFJLENBQ3ZDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQ1IsQ0FBQztRQUNqRCxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUN2QixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDekUsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQztDQUNGIn0=
|