@super-protocol/swarm-contracts-sdk 0.0.1-beta.1

package/dist/cjs/certificates/generator.js

@@ -0,0 +1,262 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateGenerator = void 0;
+const assert_1 = __importDefault(require("assert"));
+const crypto_1 = require("crypto");
+const node_forge_1 = __importDefault(require("node-forge"));
+const x509_1 = require("@peculiar/x509");
+const setup_crypto_js_1 = require("./setup-crypto.js");
+const CryptoKeysTransformer_js_1 = require("../utils/CryptoKeysTransformer.js");
+const helper_js_1 = require("../utils/helper.js");
+const MAX_X509_SERIAL = BigInt('0x' + 'F'.repeat(40));
+const ONE_HOUR_MS = 60 * 60 * 1000; // 1 hour in milliseconds
+const principalAttributeMap = {
+    commonName: 'CN',
+    country: 'C',
+    localityName: 'L',
+    stateName: 'ST',
+    organization: 'O',
+    organizationalUnit: 'OU',
+};
+const notAllowedCertificateCustomExtensions = [...Object.values(node_forge_1.default.pki.oids)];
+class CertificateGenerator {
+    /**
+     * Generates certificate based on the provided parameters.
+     * @param params - Parameters for generating the certificate.
+     * @returns The generated certificate in PEM format.
+     */
+    static async generateCert(params) {
+        const ca = Boolean(params.ca);
+        const { publicKey: subjectPublicKey, privateKey: signerPrivateKey } = await CertificateGenerator.getCryptoKeys(params);
+        const signingAlgorithm = subjectPublicKey.algorithm;
+        const extensions = [new x509_1.BasicConstraintsExtension(ca, undefined, true)];
+        const extendedKeyUsageItems = [];
+        if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
+            const generalNames = params.dnsNames.map((dnsName) => ({
+                type: ((0, helper_js_1.isIpAddress)(dnsName) ? 'ip' : 'dns'),
+                value: dnsName,
+            }));
+            extensions.push(new x509_1.SubjectAlternativeNameExtension(generalNames));
+            extendedKeyUsageItems.push(...[x509_1.ExtendedKeyUsage.serverAuth, x509_1.ExtendedKeyUsage.clientAuth]);
+        }
+        if (params.ocspSigning) {
+            extendedKeyUsageItems.push(x509_1.ExtendedKeyUsage.ocspSigning);
+        }
+        if (params.ocspExtension) {
+            const { ocspUrl, issuerCertUrl } = params.ocspExtension;
+            extensions.push(new x509_1.AuthorityInfoAccessExtension({
+                ocsp: [ocspUrl],
+                ...(issuerCertUrl ? { caIssuers: [issuerCertUrl] } : {}),
+            }));
+        }
+        if (extendedKeyUsageItems.length) {
+            extensions.push(new x509_1.ExtendedKeyUsageExtension(extendedKeyUsageItems, false));
+        }
+        let keyUsageFlags = x509_1.KeyUsageFlags.digitalSignature | x509_1.KeyUsageFlags.keyEncipherment;
+        if (params.ca) {
+            keyUsageFlags |= x509_1.KeyUsageFlags.keyCertSign;
+        }
+        extensions.push(new x509_1.KeyUsagesExtension(keyUsageFlags, true));
+        const signerPublicKey = await CryptoKeysTransformer_js_1.CryptoKeysTransformer.cryptoPublicFromCryptoPrivate(signerPrivateKey);
+        extensions.push(...[
+            await x509_1.AuthorityKeyIdentifierExtension.create(signerPublicKey),
+            await x509_1.SubjectKeyIdentifierExtension.create(subjectPublicKey),
+        ]);
+        if (params.customExtensions?.length) {
+            const filteredExtensions = params.customExtensions.filter((ext) => !notAllowedCertificateCustomExtensions.includes(ext.oid));
+            for (const customExtension of filteredExtensions) {
+                if (!customExtension.oid || !customExtension.value) {
+                    throw new Error('Custom extension OID and value are required');
+                }
+                extensions.push(new x509_1.Extension(customExtension.oid, false, customExtension.value));
+            }
+        }
+        const createCertificateParams = {
+            serialNumber: CertificateGenerator.generateSerialNumber(),
+            issuer: CertificateGenerator.getPrincipalInfo(params.issuer),
+            subject: CertificateGenerator.getPrincipalInfo(params.subject),
+            notBefore: new Date(Date.now() - ONE_HOUR_MS), //1 hour ago to avoid clock skew issues between servers
+            notAfter: params.notAfter,
+            publicKey: subjectPublicKey,
+            signingKey: signerPrivateKey,
+            signingAlgorithm,
+            extensions,
+        };
+        const cert = await x509_1.X509CertificateGenerator.create(createCertificateParams);
+        return cert.toString('pem');
+    }
+    /**
+     * Generates a pair of cryptographic keys based on the specified signature algorithm.
+     * @param signatureAlgorithm - The algorithm to use for key generation.
+     * @returns A promise that resolves to a CryptoKeyPair containing the public and private keys.
+     */
+    static generateKeys(signatureAlgorithm) {
+        const algorithm = CertificateGenerator.getAlgorithm(signatureAlgorithm);
+        return setup_crypto_js_1.cryptoProvider.subtle.generateKey(algorithm, true, ['sign', 'verify']);
+    }
+    /**
+     * Generates a Certificate Signing Request (CSR) based on the provided parameters.
+     * @param params - Parameters for generating the CSR.
+     * @returns The generated CSR in PEM format.
+     */
+    static async generateCsr(params) {
+        const keys = await CertificateGenerator.getCryptoKeys(params);
+        const signingAlgorithm = keys.publicKey.algorithm;
+        signingAlgorithm.hash = { name: 'SHA-256' };
+        const extensions = [];
+        if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
+            const generalNames = params.dnsNames.map((dnsName) => ({
+                type: ((0, helper_js_1.isIpAddress)(dnsName) ? 'ip' : 'dns'),
+                value: dnsName,
+            }));
+            extensions.push(new x509_1.SubjectAlternativeNameExtension(generalNames));
+        }
+        if (params.customExtensions?.length) {
+            for (const customExtension of params.customExtensions) {
+                if (!customExtension.oid || !customExtension.value) {
+                    throw new Error(`Some custom extension missed OID or value`);
+                }
+                extensions.push(new x509_1.Extension(customExtension.oid, false, customExtension.value));
+            }
+        }
+        const createCsrParams = {
+            name: CertificateGenerator.getPrincipalInfo(params.subject),
+            keys,
+            signingAlgorithm,
+            extensions,
+        };
+        const csr = await x509_1.Pkcs10CertificateRequestGenerator.create(createCsrParams);
+        return csr.toString('pem');
+    }
+    /**
+     * Checks and parses a certificate in PEM format.
+     * @param certPem - The certificate in PEM format.
+     * @returns An object containing the parsed certificate details.
+     */
+    static async checkAndParseCert(certPem) {
+        const cert = new x509_1.X509Certificate(certPem);
+        if (cert.issuer === cert.subject) {
+            const isValid = await cert.verify();
+            if (!isValid) {
+                throw new Error('Self-signed certificate signature verification failed');
+            }
+        }
+        const publicKey = await setup_crypto_js_1.cryptoProvider.subtle.importKey('spki', cert.publicKey.rawData, Object.assign(cert.signatureAlgorithm, cert.publicKey.algorithm), true, ['verify']);
+        const authorityKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof x509_1.AuthorityKeyIdentifierExtension);
+        const authorityKeyIdentifier = authorityKeyIdentifierExt?.keyId;
+        const subjectKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof x509_1.SubjectKeyIdentifierExtension);
+        const subjectKeyIdentifier = subjectKeyIdentifierExt?.keyId;
+        return {
+            serialNumberHex: cert.serialNumber,
+            publicKey,
+            subject: cert.subject,
+            issuer: cert.issuer,
+            notBefore: cert.notBefore,
+            notAfter: cert.notAfter,
+            dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(cert.extensions),
+            authorityKeyIdentifier,
+            subjectKeyIdentifier,
+            extensions: cert.extensions
+                .filter((ext) => ext.type !== node_forge_1.default.pki.oids['subjectAltName'])
+                .map((ext) => ({
+                oid: ext.type,
+                value: Buffer.from(ext.value),
+            })),
+        };
+    }
+    /**
+     * Checks and parses a Certificate Signing Request (CSR) in PEM format.
+     * @param csrPem - The CSR in PEM format.
+     * @returns An object containing the parsed CSR details.
+     */
+    static async checkAndParseCsr(csrPem) {
+        const csr = new x509_1.Pkcs10CertificateRequest(csrPem);
+        const isValid = await csr.verify();
+        if (!isValid) {
+            throw new Error('CSR signature verification failed');
+        }
+        const publicKey = await setup_crypto_js_1.cryptoProvider.subtle.importKey('spki', csr.publicKey.rawData, Object.assign(csr.signatureAlgorithm, csr.publicKey.algorithm), true, ['verify']);
+        const parsedCsr = {
+            subject: csr.subject,
+            publicKey,
+            dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(csr.extensions),
+            extensions: csr.extensions
+                .filter((ext) => ext.type !== node_forge_1.default.pki.oids['subjectAltName'])
+                .map((ext) => ({
+                oid: ext.type,
+                value: Buffer.from(ext.value),
+            })),
+        };
+        return parsedCsr;
+    }
+    static async getCryptoKeys({ privateKey, publicKey }) {
+        const [pubKey, privKey] = await Promise.all([
+            typeof publicKey === 'string'
+                ? CryptoKeysTransformer_js_1.CryptoKeysTransformer.spkiPemToCryptoKey(publicKey)
+                : publicKey,
+            typeof privateKey === 'string'
+                ? CryptoKeysTransformer_js_1.CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey)
+                : privateKey,
+        ]);
+        assert_1.default.deepEqual(pubKey.algorithm, privKey.algorithm, 'Both keys must have same algorithm defined');
+        return { publicKey: pubKey, privateKey: privKey };
+    }
+    static generateSerialNumber() {
+        const uuid = (0, crypto_1.randomUUID)().replace(/-/g, '');
+        let serial = BigInt('0x' + uuid) % MAX_X509_SERIAL;
+        // Ensure the serial number is positive in ASN1
+        // 89abcdefABCDEF - set of all hex symbols that have 1 as first bit
+        const serialHex = serial.toString(16);
+        if (serialHex[0] && '89abcdefABCDEF'.includes(serialHex[0])) {
+            serial = serial >> 1n;
+        }
+        return serial.toString(16);
+    }
+    static getPrincipalInfo(principal) {
+        if (typeof principal === 'string') {
+            return principal;
+        }
+        if (!principal.commonName) {
+            throw new Error('Common name is required');
+        }
+        return Object.entries(principal)
+            .map(([key, value]) => `${principalAttributeMap[key] || key}=${value}`)
+            .join(',');
+    }
+    static getAlgorithm(signatureAlgorithm) {
+        switch (signatureAlgorithm) {
+            case 'RSASSA-PKCS1-SHA256':
+                return {
+                    name: 'RSASSA-PKCS1-v1_5',
+                    hash: 'SHA-256',
+                    publicExponent: new Uint8Array([1, 0, 1]), // 65537
+                    modulusLength: 2048,
+                };
+            case 'ECDSA-P-256-SHA256':
+                return {
+                    name: 'ECDSA',
+                    namedCurve: 'P-256',
+                };
+            case 'ECDSA-secp256k1-SHA256':
+                return {
+                    name: 'ECDSA',
+                    namedCurve: 'K-256',
+                };
+            default:
+                throw new Error(`Unsupported signature algorithm: ${signatureAlgorithm}`);
+        }
+    }
+    static extractDnsNamesFromExtensions(extensions) {
+        const subjectAltNameExt = extensions.find((ext) => ext.type === node_forge_1.default.pki.oids['subjectAltName']);
+        if (!subjectAltNameExt) {
+            return;
+        }
+        const dnsNames = subjectAltNameExt.names.items.map((item) => item.value);
+        return dnsNames;
+    }
+}
+exports.CertificateGenerator = CertificateGenerator;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9nZW5lcmF0b3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsb0RBQTRCO0FBQzVCLG1DQUFvQztBQUNwQyw0REFBK0I7QUFDL0IseUNBbUJ3QjtBQVd4Qix1REFBbUQ7QUFDbkQsZ0ZBQTBFO0FBQzFFLGtEQUFpRDtBQUVqRCxNQUFNLGVBQWUsR0FBRyxNQUFNLENBQUMsSUFBSSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUV0RCxNQUFNLFdBQVcsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDLHlCQUF5QjtBQUU3RCxNQUFNLHFCQUFxQixHQUEyQjtJQUNwRCxVQUFVLEVBQUUsSUFBSTtJQUNoQixPQUFPLEVBQUUsR0FBRztJQUNaLFlBQVksRUFBRSxHQUFHO0lBQ2pCLFNBQVMsRUFBRSxJQUFJO0lBQ2YsWUFBWSxFQUFFLEdBQUc7SUFDakIsa0JBQWtCLEVBQUUsSUFBSTtDQUN6QixDQUFDO0FBRUYsTUFBTSxxQ0FBcUMsR0FBRyxDQUFDLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO0FBRWpGLE1BQWEsb0JBQW9CO0lBQy9COzs7O09BSUc7SUFDSCxNQUFNLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxNQUEwQjtRQUNsRCxNQUFNLEVBQUUsR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBRTlCLE1BQU0sRUFBRSxTQUFTLEVBQUUsZ0JBQWdCLEVBQUUsVUFBVSxFQUFFLGdCQUFnQixFQUFFLEdBQ2pFLE1BQU0sb0JBQW9CLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ25ELE1BQU0sZ0JBQWdCLEdBQUcsZ0JBQWdCLENBQUMsU0FBeUIsQ0FBQztRQUVwRSxNQUFNLFVBQVUsR0FBZ0IsQ0FBQyxJQUFJLGdDQUF5QixDQUFDLEVBQUUsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUVyRixNQUFNLHFCQUFxQixHQUF1QixFQUFFLENBQUM7UUFFckQsSUFBSSxnQkFBZ0IsQ0FBQyxVQUFVLEtBQUssT0FBTyxJQUFJLE1BQU0sQ0FBQyxRQUFRLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDdkUsTUFBTSxZQUFZLEdBQXFCLE1BQU0sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUN2RSxJQUFJLEVBQUUsQ0FBQyxJQUFBLHVCQUFXLEVBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFvQjtnQkFDOUQsS0FBSyxFQUFFLE9BQU87YUFDZixDQUFDLENBQUMsQ0FBQztZQUNKLFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSxzQ0FBK0IsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDO1lBRW5FLHFCQUFxQixDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsdUJBQWdCLENBQUMsVUFBVSxFQUFFLHVCQUFnQixDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUM7UUFDNUYsQ0FBQztRQUVELElBQUksTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ3ZCLHFCQUFxQixDQUFDLElBQUksQ0FBQyx1QkFBZ0IsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBRUQsSUFBSSxNQUFNLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDekIsTUFBTSxFQUFFLE9BQU8sRUFBRSxhQUFhLEVBQUUsR0FBRyxNQUFNLENBQUMsYUFBYSxDQUFDO1lBQ3hELFVBQVUsQ0FBQyxJQUFJLENBQ2IsSUFBSSxtQ0FBNEIsQ0FBQztnQkFDL0IsSUFBSSxFQUFFLENBQUMsT0FBTyxDQUFDO2dCQUNmLEdBQUcsQ0FBQyxhQUFhLENBQUMsQ0FBQyxDQUFDLEVBQUUsU0FBUyxFQUFFLENBQUMsYUFBYSxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO2FBQ3pELENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUkscUJBQXFCLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDakMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLGdDQUF5QixDQUFDLHFCQUFxQixFQUFFLEtBQUssQ0FBQyxDQUFDLENBQUM7UUFDL0UsQ0FBQztRQUVELElBQUksYUFBYSxHQUFHLG9CQUFhLENBQUMsZ0JBQWdCLEdBQUcsb0JBQWEsQ0FBQyxlQUFlLENBQUM7UUFDbkYsSUFBSSxNQUFNLENBQUMsRUFBRSxFQUFFLENBQUM7WUFDZCxhQUFhLElBQUksb0JBQWEsQ0FBQyxXQUFXLENBQUM7UUFDN0MsQ0FBQztRQUNELFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSx5QkFBa0IsQ0FBQyxhQUFhLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUU3RCxNQUFNLGVBQWUsR0FDbkIsTUFBTSxnREFBcUIsQ0FBQyw2QkFBNkIsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBQzlFLFVBQVUsQ0FBQyxJQUFJLENBQ2IsR0FBRztZQUNELE1BQU0sc0NBQStCLENBQUMsTUFBTSxDQUFDLGVBQWUsQ0FBQztZQUM3RCxNQUFNLG9DQUE2QixDQUFDLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQztTQUM3RCxDQUNGLENBQUM7UUFFRixJQUFJLE1BQU0sQ0FBQyxnQkFBZ0IsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUNwQyxNQUFNLGtCQUFrQixHQUFHLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLENBQ3ZELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxDQUFDLHFDQUFxQyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLENBQ2xFLENBQUM7WUFDRixLQUFLLE1BQU0sZUFBZSxJQUFJLGtCQUFrQixFQUFFLENBQUM7Z0JBQ2pELElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssRUFBRSxDQUFDO29CQUNuRCxNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7Z0JBQ2pFLENBQUM7Z0JBQ0QsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLGdCQUFTLENBQUMsZUFBZSxDQUFDLEdBQUcsRUFBRSxLQUFLLEVBQUUsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUM7WUFDcEYsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLHVCQUF1QixHQUFnQztZQUMzRCxZQUFZLEVBQUUsb0JBQW9CLENBQUMsb0JBQW9CLEVBQUU7WUFDekQsTUFBTSxFQUFFLG9CQUFvQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUM7WUFDNUQsT0FBTyxFQUFFLG9CQUFvQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUM7WUFDOUQsU0FBUyxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxXQUFXLENBQUMsRUFBRSx1REFBdUQ7WUFDdEcsUUFBUSxFQUFFLE1BQU0sQ0FBQyxRQUFRO1lBQ3pCLFNBQVMsRUFBRSxnQkFBZ0I7WUFDM0IsVUFBVSxFQUFFLGdCQUFnQjtZQUM1QixnQkFBZ0I7WUFDaEIsVUFBVTtTQUNYLENBQUM7UUFFRixNQUFNLElBQUksR0FBRyxNQUFNLCtCQUF3QixDQUFDLE1BQU0sQ0FBQyx1QkFBdUIsQ0FBQyxDQUFDO1FBRTVFLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM5QixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxZQUFZLENBQUMsa0JBQXNDO1FBQ3hELE1BQU0sU0FBUyxHQUFHLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1FBQ3hFLE9BQU8sZ0NBQWMsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLFNBQVMsRUFBRSxJQUFJLEVBQUUsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUNoRixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLE1BQXlCO1FBQ2hELE1BQU0sSUFBSSxHQUFHLE1BQU0sb0JBQW9CLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzlELE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxTQUF5QixDQUFDO1FBQ2xFLGdCQUFnQixDQUFDLElBQUksR0FBRyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsQ0FBQztRQUU1QyxNQUFNLFVBQVUsR0FBZ0IsRUFBRSxDQUFDO1FBRW5DLElBQUksZ0JBQWdCLENBQUMsVUFBVSxLQUFLLE9BQU8sSUFBSSxNQUFNLENBQUMsUUFBUSxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3ZFLE1BQU0sWUFBWSxHQUFxQixNQUFNLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDdkUsSUFBSSxFQUFFLENBQUMsSUFBQSx1QkFBVyxFQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBb0I7Z0JBQzlELEtBQUssRUFBRSxPQUFPO2FBQ2YsQ0FBQyxDQUFDLENBQUM7WUFDSixVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksc0NBQStCLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQztRQUNyRSxDQUFDO1FBRUQsSUFBSSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDcEMsS0FBSyxNQUFNLGVBQWUsSUFBSSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDdEQsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ25ELE1BQU0sSUFBSSxLQUFLLENBQUMsMkNBQTJDLENBQUMsQ0FBQztnQkFDL0QsQ0FBQztnQkFDRCxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksZ0JBQVMsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxlQUFlLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztZQUNwRixDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sZUFBZSxHQUF5QztZQUM1RCxJQUFJLEVBQUUsb0JBQW9CLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQztZQUMzRCxJQUFJO1lBQ0osZ0JBQWdCO1lBQ2hCLFVBQVU7U0FDWCxDQUFDO1FBRUYsTUFBTSxHQUFHLEdBQUcsTUFBTSx3Q0FBaUMsQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDLENBQUM7UUFFNUUsT0FBTyxHQUFHLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQzdCLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxPQUFlO1FBQzVDLE1BQU0sSUFBSSxHQUFHLElBQUksc0JBQWUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUUxQyxJQUFJLElBQUksQ0FBQyxNQUFNLEtBQUssSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2pDLE1BQU0sT0FBTyxHQUFHLE1BQU0sSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDYixNQUFNLElBQUksS0FBSyxDQUFDLHVEQUF1RCxDQUFDLENBQUM7WUFDM0UsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxNQUFNLGdDQUFjLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDckQsTUFBTSxFQUNOLElBQUksQ0FBQyxTQUFTLENBQUMsT0FBTyxFQUN0QixNQUFNLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxFQUNoRSxJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBRUYsTUFBTSx5QkFBeUIsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FDcEQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsWUFBWSxzQ0FBK0IsQ0FDVCxDQUFDO1FBQ2pELE1BQU0sc0JBQXNCLEdBQUcseUJBQXlCLEVBQUUsS0FBSyxDQUFDO1FBRWhFLE1BQU0sdUJBQXVCLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ2xELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLFlBQVksb0NBQTZCLENBQ1QsQ0FBQztRQUMvQyxNQUFNLG9CQUFvQixHQUFHLHVCQUF1QixFQUFFLEtBQUssQ0FBQztRQUU1RCxPQUFPO1lBQ0wsZUFBZSxFQUFFLElBQUksQ0FBQyxZQUFZO1lBQ2xDLFNBQVM7WUFDVCxPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU87WUFDckIsTUFBTSxFQUFFLElBQUksQ0FBQyxNQUFNO1lBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztZQUN6QixRQUFRLEVBQUUsSUFBSSxDQUFDLFFBQVE7WUFDdkIsUUFBUSxFQUFFLG9CQUFvQixDQUFDLDZCQUE2QixDQUFDLElBQUksQ0FBQyxVQUFVLENBQUM7WUFDN0Usc0JBQXNCO1lBQ3RCLG9CQUFvQjtZQUNwQixVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVU7aUJBQ3hCLE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLElBQUksS0FBSyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztpQkFDOUQsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUNiLEdBQUcsRUFBRSxHQUFHLENBQUMsSUFBSTtnQkFDYixLQUFLLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDO2FBQzlCLENBQUMsQ0FBQztTQUNOLENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsZ0JBQWdCLENBQUMsTUFBYztRQUMxQyxNQUFNLEdBQUcsR0FBRyxJQUFJLCtCQUF3QixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRWpELE1BQU0sT0FBTyxHQUFHLE1BQU0sR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ25DLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUMsQ0FBQztRQUN2RCxDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsTUFBTSxnQ0FBYyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3JELE1BQU0sRUFDTixHQUFHLENBQUMsU0FBUyxDQUFDLE9BQU8sRUFDckIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsa0JBQWtCLEVBQUUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsRUFDOUQsSUFBSSxFQUNKLENBQUMsUUFBUSxDQUFDLENBQ1gsQ0FBQztRQUVGLE1BQU0sU0FBUyxHQUFjO1lBQzNCLE9BQU8sRUFBRSxHQUFHLENBQUMsT0FBTztZQUNwQixTQUFTO1lBQ1QsUUFBUSxFQUFFLG9CQUFvQixDQUFDLDZCQUE2QixDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUM7WUFDNUUsVUFBVSxFQUFFLEdBQUcsQ0FBQyxVQUFVO2lCQUN2QixNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEtBQUssb0JBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7aUJBQzlELEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDYixHQUFHLEVBQUUsR0FBRyxDQUFDLElBQUk7Z0JBQ2IsS0FBSyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQzthQUM5QixDQUFDLENBQUM7U0FDTixDQUFDO1FBRUYsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsYUFBYSxDQUFDLEVBQUUsVUFBVSxFQUFFLFNBQVMsRUFBbUI7UUFJM0UsTUFBTSxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7WUFDMUMsT0FBTyxTQUFTLEtBQUssUUFBUTtnQkFDM0IsQ0FBQyxDQUFDLGdEQUFxQixDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQztnQkFDckQsQ0FBQyxDQUFDLFNBQVM7WUFDYixPQUFPLFVBQVUsS0FBSyxRQUFRO2dCQUM1QixDQUFDLENBQUMsZ0RBQXFCLENBQUMsbUJBQW1CLENBQUMsVUFBVSxDQUFDO2dCQUN2RCxDQUFDLENBQUMsVUFBVTtTQUNmLENBQUMsQ0FBQztRQUVILGdCQUFNLENBQUMsU0FBUyxDQUNkLE1BQU0sQ0FBQyxTQUFTLEVBQ2hCLE9BQU8sQ0FBQyxTQUFTLEVBQ2pCLDRDQUE0QyxDQUM3QyxDQUFDO1FBRUYsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsVUFBVSxFQUFFLE9BQU8sRUFBRSxDQUFDO0lBQ3BELENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CO1FBQ2pDLE1BQU0sSUFBSSxHQUFHLElBQUEsbUJBQVUsR0FBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDNUMsSUFBSSxNQUFNLEdBQUcsTUFBTSxDQUFDLElBQUksR0FBRyxJQUFJLENBQUMsR0FBRyxlQUFlLENBQUM7UUFFbkQsK0NBQStDO1FBQy9DLG1FQUFtRTtRQUNuRSxNQUFNLFNBQVMsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3RDLElBQUksU0FBUyxDQUFDLENBQUMsQ0FBQyxJQUFJLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO1lBQzVELE1BQU0sR0FBRyxNQUFNLElBQUksRUFBRSxDQUFDO1FBQ3hCLENBQUM7UUFFRCxPQUFPLE1BQU0sQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDLENBQUM7SUFDN0IsQ0FBQztJQUVPLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxTQUF3QztRQUN0RSxJQUFJLE9BQU8sU0FBUyxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQ2xDLE9BQU8sU0FBUyxDQUFDO1FBQ25CLENBQUM7UUFFRCxJQUFJLENBQUMsU0FBUyxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQzFCLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztRQUM3QyxDQUFDO1FBRUQsT0FBTyxNQUFNLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQzthQUM3QixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsRUFBRSxLQUFLLENBQUMsRUFBRSxFQUFFLENBQUMsR0FBRyxxQkFBcUIsQ0FBQyxHQUFHLENBQUMsSUFBSSxHQUFHLElBQUksS0FBSyxFQUFFLENBQUM7YUFDdEUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2YsQ0FBQztJQUVPLE1BQU0sQ0FBQyxZQUFZLENBQUMsa0JBQTBCO1FBQ3BELFFBQVEsa0JBQWtCLEVBQUUsQ0FBQztZQUMzQixLQUFLLHFCQUFxQjtnQkFDeEIsT0FBTztvQkFDTCxJQUFJLEVBQUUsbUJBQW1CO29CQUN6QixJQUFJLEVBQUUsU0FBUztvQkFDZixjQUFjLEVBQUUsSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsUUFBUTtvQkFDbkQsYUFBYSxFQUFFLElBQUk7aUJBQ3BCLENBQUM7WUFDSixLQUFLLG9CQUFvQjtnQkFDdkIsT0FBTztvQkFDTCxJQUFJLEVBQUUsT0FBTztvQkFDYixVQUFVLEVBQUUsT0FBTztpQkFDcEIsQ0FBQztZQUNKLEtBQUssd0JBQXdCO2dCQUMzQixPQUFPO29CQUNMLElBQUksRUFBRSxPQUFPO29CQUNiLFVBQVUsRUFBRSxPQUFPO2lCQUNwQixDQUFDO1lBQ0o7Z0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxvQ0FBb0Msa0JBQWtCLEVBQUUsQ0FBQyxDQUFDO1FBQzlFLENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLDZCQUE2QixDQUFDLFVBQXVCO1FBQ2xFLE1BQU0saUJBQWlCLEdBQUcsVUFBVSxDQUFDLElBQUksQ0FDdkMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEtBQUssb0JBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQ1IsQ0FBQztRQUNqRCxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUN2QixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDekUsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQztDQUNGO0FBelRELG9EQXlUQyJ9

package/dist/cjs/certificates/helper.d.ts

@@ -0,0 +1,29 @@
+/// <reference types="node" />
+import * as pkijs from 'pkijs';
+import { AlgorithmObj, CertWithKeyIdentifiers, ValidateCertChainResult } from './types.js';
+import './setup-crypto.js';
+export declare class CertificatesHelper {
+    private static downloadedCertificateCache;
+    static derToPem(data: ArrayBuffer, type?: string): string;
+    static pemToDer(certPem: string): Uint8Array;
+    static splitPemCerts(certs: string): string[];
+    static getDomain(certPem: string): string | undefined;
+    static getExtensionValue(certParam: string | pkijs.Certificate, oid: string): Buffer | undefined;
+    static extractCAFromChain(certsPem: string): {
+        certs: string;
+        ca: string;
+    };
+    static getIssuer(certWithKeyIdent: CertWithKeyIdentifiers, potentialIssuersWithKeyIdent: CertWithKeyIdentifiers[]): CertWithKeyIdentifiers | undefined;
+    static pemChainToDer(certsPem: string): Uint8Array[];
+    static derChainToPem(certsDer: Uint8Array[]): string;
+    static downloadCertWithCache(url: string): Promise<Buffer>;
+    static buildChain(leaf: pkijs.Certificate | CertWithKeyIdentifiers, potentialIssuers: pkijs.Certificate[] | CertWithKeyIdentifiers[]): CertWithKeyIdentifiers[];
+    static sortCertsFromLeafToRoot(certsPem: string | string[] | pkijs.Certificate[] | CertWithKeyIdentifiers[]): CertWithKeyIdentifiers[];
+    static getCertPublicKeyAlgorithm(certPem: string): AlgorithmObj;
+    static getCsrPublicKeyAlgorithm(csrPem: string): AlgorithmObj;
+    static validateCertChain(certsPem: string | string[], caPem: string | string[], options?: {
+        offline?: boolean;
+    }): Promise<ValidateCertChainResult>;
+    static toPkiCerts(certs: string | string[]): pkijs.Certificate[];
+    static addKeyIdentifiersToCerts(certs: Array<pkijs.Certificate | CertWithKeyIdentifiers>): CertWithKeyIdentifiers[];
+}

package/dist/cjs/certificates/helper.js

@@ -0,0 +1,216 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificatesHelper = void 0;
+const lodash_1 = __importDefault(require("lodash"));
+const axios_1 = __importDefault(require("axios"));
+const node_forge_1 = __importDefault(require("node-forge"));
+const pkijs = __importStar(require("pkijs"));
+const x509_1 = require("@peculiar/x509");
+const memory_js_1 = require("../utils/cache/memory.js");
+const ocsp_js_1 = require("./ocsp.js");
+const crl_js_1 = require("./crl.js");
+require("./setup-crypto.js");
+const pki_common_1 = require("@super-protocol/pki-common");
+const oidsForOcspCheck = [
+    pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID,
+    pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID,
+    pki_common_1.OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU,
+    pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID,
+];
+class CertificatesHelper {
+    static downloadedCertificateCache = (0, memory_js_1.createMemoryCache)();
+    static derToPem(data, type = 'CERTIFICATE') {
+        return node_forge_1.default.pem.encode({
+            contentDomain: null,
+            dekInfo: null,
+            headers: [],
+            procType: null,
+            type,
+            body: Buffer.from(data).toString('binary'),
+        });
+    }
+    static pemToDer(certPem) {
+        return Buffer.from(node_forge_1.default.pki.pemToDer(certPem).bytes(), 'binary');
+    }
+    static splitPemCerts(certs) {
+        const pemRegex = /(-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----)/g;
+        return certs.match(pemRegex) || [];
+    }
+    static getDomain(certPem) {
+        const cert = node_forge_1.default.pki.certificateFromPem(certPem);
+        return cert.subject.attributes.find((attribute) => attribute.name === 'commonName')
+            ?.value;
+    }
+    static getExtensionValue(certParam, oid) {
+        const cert = typeof certParam === 'string'
+            ? pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certParam))
+            : certParam;
+        const extension = cert.extensions?.find((ext) => ext.extnID === oid);
+        return extension && Buffer.from(extension.extnValue.valueBlock.toBER());
+    }
+    static extractCAFromChain(certsPem) {
+        const certs = CertificatesHelper.toPkiCerts(certsPem);
+        const splitCerts = lodash_1.default.partition(certs, (cert) => !cert.issuer.isEqual(cert.subject));
+        const toPemChain = (certs) => certs.map((cert) => CertificatesHelper.derToPem(cert.toSchema().toBER())).join('\n');
+        return {
+            certs: toPemChain(splitCerts[0]),
+            ca: toPemChain(splitCerts[1]),
+        };
+    }
+    static getIssuer(certWithKeyIdent, potentialIssuersWithKeyIdent) {
+        return potentialIssuersWithKeyIdent.find((potentialIssuer) => (certWithKeyIdent?.authorityKeyIdentifier && potentialIssuer.subjectKeyIdentifier
+            ? certWithKeyIdent.authorityKeyIdentifier.isEqual(potentialIssuer.subjectKeyIdentifier)
+            : certWithKeyIdent?.cert.issuer.isEqual(potentialIssuer.cert.subject)) &&
+            !certWithKeyIdent?.cert.subject.isEqual(certWithKeyIdent?.cert.issuer));
+    }
+    static pemChainToDer(certsPem) {
+        const certs = CertificatesHelper.splitPemCerts(certsPem);
+        return certs.map((certPem) => CertificatesHelper.pemToDer(certPem));
+    }
+    static derChainToPem(certsDer) {
+        return certsDer
+            .map((cert) => CertificatesHelper.derToPem(cert))
+            .join('')
+            .trim();
+    }
+    static async downloadCertWithCache(url) {
+        const responseData = await CertificatesHelper.downloadedCertificateCache.wrap(url, async () => {
+            const response = await (0, axios_1.default)(url, {
+                responseType: 'arraybuffer',
+            });
+            return response?.data;
+        }, {
+            ttl: 5 * 60 * 1000, //5 min
+        });
+        return responseData;
+    }
+    static buildChain(leaf, potentialIssuers) {
+        const chain = CertificatesHelper.addKeyIdentifiersToCerts([leaf]);
+        const potentialIssuersWithKeyIdentifiers = CertificatesHelper.addKeyIdentifiersToCerts(potentialIssuers);
+        let currentCert = chain[0];
+        do {
+            currentCert = CertificatesHelper.getIssuer(currentCert, potentialIssuersWithKeyIdentifiers);
+            if (currentCert) {
+                chain.push(currentCert);
+            }
+        } while (currentCert);
+        return chain;
+    }
+    static sortCertsFromLeafToRoot(certsPem) {
+        const allCerts = typeof certsPem === 'string' || certsPem.every((cert) => typeof cert === 'string')
+            ? CertificatesHelper.toPkiCerts(certsPem)
+            : certsPem;
+        const certsWithKeyIdentifiers = CertificatesHelper.addKeyIdentifiersToCerts(allCerts);
+        const leafs = certsWithKeyIdentifiers.filter((certToCheck) => !certsWithKeyIdentifiers.some((certsToCheckWith) => certToCheck.subjectKeyIdentifier && certsToCheckWith.authorityKeyIdentifier
+            ? certToCheck.subjectKeyIdentifier.isEqual(certsToCheckWith.authorityKeyIdentifier)
+            : certToCheck.cert.subject.isEqual(certsToCheckWith.cert.issuer)));
+        const chains = leafs
+            .map((leaf) => CertificatesHelper.buildChain(leaf.cert, allCerts))
+            .sort((one, two) => two.length - one.length);
+        return chains.flat();
+    }
+    static getCertPublicKeyAlgorithm(certPem) {
+        const cert = new x509_1.X509Certificate(certPem);
+        const publicKey = cert.publicKey;
+        return publicKey.algorithm;
+    }
+    static getCsrPublicKeyAlgorithm(csrPem) {
+        const csr = new x509_1.Pkcs10CertificateRequest(csrPem);
+        const publicKey = csr.publicKey;
+        return publicKey.algorithm;
+    }
+    static async validateCertChain(certsPem, caPem, options = {}) {
+        const { offline } = options;
+        // reverse() is needed because pkijs expects certificates to be ordered from root to leaf
+        const sortedCertsWithKeyIdent = CertificatesHelper.sortCertsFromLeafToRoot(certsPem).reverse();
+        const sortedCerts = sortedCertsWithKeyIdent.map((certWithKeyIdent) => certWithKeyIdent.cert);
+        const ca = CertificatesHelper.toPkiCerts(caPem);
+        try {
+            const crls = offline ? [] : await crl_js_1.CRLHelper.getCRLFromCerts(sortedCerts);
+            const ocspBaseResponses = offline
+                ? []
+                : await ocsp_js_1.OCSPHelper.getOCSPResponseFromCerts(sortedCertsWithKeyIdent, CertificatesHelper.addKeyIdentifiersToCerts(ca), oidsForOcspCheck);
+            const chainEngine = new pkijs.CertificateChainValidationEngine({
+                certs: sortedCerts,
+                trustedCerts: ca,
+                ocsps: ocspBaseResponses,
+                crls,
+            });
+            const verifyResult = await chainEngine.verify();
+            if (!verifyResult.result) {
+                return {
+                    isValid: false,
+                    errorMessage: verifyResult.resultMessage,
+                };
+            }
+            /**
+             * When verifying a certificate chain, chainEngine.verify() attempts to find a valid
+             * certification path using the provided certificates. It may ignore certificates that
+             * don't belong to the valid chain.
+             *
+             * This check ensures that all certificates we initially provided were actually used
+             * in the valid certification path that CertificateChainValidationEngine constructed.
+             * If any certificate was ignored/not used, we throw an error.
+             */
+            const isEachCertVerified = sortedCerts.every((cert) => verifyResult.certificatePath?.find((verifiedCert) => verifiedCert.serialNumber.isEqual(cert.serialNumber)));
+            if (!isEachCertVerified) {
+                throw new Error('Some of certificates do not belong to chain');
+            }
+            return {
+                isValid: true,
+            };
+        }
+        catch (err) {
+            return {
+                isValid: false,
+                errorMessage: err.message,
+            };
+        }
+    }
+    static toPkiCerts(certs) {
+        const certsArray = Array.isArray(certs) ? certs : CertificatesHelper.splitPemCerts(certs);
+        return certsArray.map((certPem) => pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certPem)));
+    }
+    static addKeyIdentifiersToCerts(certs) {
+        return certs.map((cert) => {
+            if ('cert' in cert) {
+                return cert;
+            }
+            const authorityKeyIdentifierExt = cert.extensions?.find((ext) => ext.extnID === node_forge_1.default.pki.oids['authorityKeyIdentifier'])?.parsedValue;
+            const subjectKeyIdentifierExt = cert.extensions?.find((ext) => ext.extnID === node_forge_1.default.pki.oids['subjectKeyIdentifier'])?.parsedValue;
+            return {
+                cert,
+                authorityKeyIdentifier: authorityKeyIdentifierExt?.keyIdentifier,
+                subjectKeyIdentifier: subjectKeyIdentifierExt,
+            };
+        });
+    }
+}
+exports.CertificatesHelper = CertificatesHelper;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9oZWxwZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxvREFBdUI7QUFDdkIsa0RBQTBCO0FBQzFCLDREQUErQjtBQUMvQiw2Q0FBK0I7QUFDL0IseUNBQTJFO0FBQzNFLHdEQUE2RDtBQUU3RCx1Q0FBdUM7QUFDdkMscUNBQXFDO0FBQ3JDLDZCQUEyQjtBQUMzQiwyREFLb0M7QUFJcEMsTUFBTSxnQkFBZ0IsR0FBRztJQUN2Qiw4Q0FBaUM7SUFDakMscURBQXdDO0lBQ3hDLGlEQUFvQztJQUNwQywwREFBNkM7Q0FDOUMsQ0FBQztBQUVGLE1BQWEsa0JBQWtCO0lBQ3JCLE1BQU0sQ0FBQywwQkFBMEIsR0FBRyxJQUFBLDZCQUFpQixHQUFFLENBQUM7SUFFaEUsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFpQixFQUFFLE9BQWUsYUFBYTtRQUM3RCxPQUFPLG9CQUFLLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQztZQUN0QixhQUFhLEVBQUUsSUFBSTtZQUNuQixPQUFPLEVBQUUsSUFBSTtZQUNiLE9BQU8sRUFBRSxFQUFFO1lBQ1gsUUFBUSxFQUFFLElBQUk7WUFDZCxJQUFJO1lBQ0osSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQztTQUMzQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsTUFBTSxDQUFDLFFBQVEsQ0FBQyxPQUFlO1FBQzdCLE9BQU8sTUFBTSxDQUFDLElBQUksQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsS0FBSyxFQUFFLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDcEUsQ0FBQztJQUVELE1BQU0sQ0FBQyxhQUFhLENBQUMsS0FBYTtRQUNoQyxNQUFNLFFBQVEsR0FBRyxpRUFBaUUsQ0FBQztRQUNuRixPQUFPLEtBQUssQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxNQUFNLENBQUMsU0FBUyxDQUFDLE9BQWU7UUFDOUIsTUFBTSxJQUFJLEdBQUcsb0JBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDbkQsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEtBQUssWUFBWSxDQUFDO1lBQ2pGLEVBQUUsS0FBZSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxNQUFNLENBQUMsaUJBQWlCLENBQUMsU0FBcUMsRUFBRSxHQUFXO1FBQ3pFLE1BQU0sSUFBSSxHQUNSLE9BQU8sU0FBUyxLQUFLLFFBQVE7WUFDM0IsQ0FBQyxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUNuRSxDQUFDLENBQUMsU0FBUyxDQUFDO1FBQ2hCLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLEdBQUcsQ0FBQyxDQUFDO1FBQ3JFLE9BQU8sU0FBUyxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQztJQUMxRSxDQUFDO0lBRUQsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQWdCO1FBQ3hDLE1BQU0sS0FBSyxHQUFHLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUN0RCxNQUFNLFVBQVUsR0FBRyxnQkFBQyxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7UUFFcEYsTUFBTSxVQUFVLEdBQUcsQ0FBQyxLQUEwQixFQUFVLEVBQUUsQ0FDeEQsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRXZGLE9BQU87WUFDTCxLQUFLLEVBQUUsVUFBVSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNoQyxFQUFFLEVBQUUsVUFBVSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztTQUM5QixDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyxTQUFTLENBQ2QsZ0JBQXdDLEVBQ3hDLDRCQUFzRDtRQUV0RCxPQUFPLDRCQUE0QixDQUFDLElBQUksQ0FDdEMsQ0FBQyxlQUFlLEVBQUUsRUFBRSxDQUNsQixDQUFDLGdCQUFnQixFQUFFLHNCQUFzQixJQUFJLGVBQWUsQ0FBQyxvQkFBb0I7WUFDL0UsQ0FBQyxDQUFDLGdCQUFnQixDQUFDLHNCQUFzQixDQUFDLE9BQU8sQ0FBQyxlQUFlLENBQUMsb0JBQW9CLENBQUM7WUFDdkYsQ0FBQyxDQUFDLGdCQUFnQixFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLGVBQWUsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDeEUsQ0FBQyxnQkFBZ0IsRUFBRSxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLENBQ3pFLENBQUM7SUFDSixDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFnQjtRQUNuQyxNQUFNLEtBQUssR0FBRyxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFekQsT0FBTyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUN0RSxDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFzQjtRQUN6QyxPQUFPLFFBQVE7YUFDWixHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQzthQUNoRCxJQUFJLENBQUMsRUFBRSxDQUFDO2FBQ1IsSUFBSSxFQUFFLENBQUM7SUFDWixDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQyxHQUFXO1FBQzVDLE1BQU0sWUFBWSxHQUFHLE1BQU0sa0JBQWtCLENBQUMsMEJBQTBCLENBQUMsSUFBSSxDQUMzRSxHQUFHLEVBQ0gsS0FBSyxJQUFJLEVBQUU7WUFDVCxNQUFNLFFBQVEsR0FBRyxNQUFNLElBQUEsZUFBSyxFQUFDLEdBQUcsRUFBRTtnQkFDaEMsWUFBWSxFQUFFLGFBQWE7YUFDNUIsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxRQUFRLEVBQUUsSUFBSSxDQUFDO1FBQ3hCLENBQUMsRUFDRDtZQUNFLEdBQUcsRUFBRSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxPQUFPO1NBQzVCLENBQ0YsQ0FBQztRQUVGLE9BQU8sWUFBWSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxNQUFNLENBQUMsVUFBVSxDQUNmLElBQWdELEVBQ2hELGdCQUFnRTtRQUVoRSxNQUFNLEtBQUssR0FBRyxrQkFBa0IsQ0FBQyx3QkFBd0IsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7UUFDbEUsTUFBTSxrQ0FBa0MsR0FDdEMsa0JBQWtCLENBQUMsd0JBQXdCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUNoRSxJQUFJLFdBQVcsR0FBdUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRS9ELEdBQUcsQ0FBQztZQUNGLFdBQVcsR0FBRyxrQkFBa0IsQ0FBQyxTQUFTLENBQUMsV0FBVyxFQUFFLGtDQUFrQyxDQUFDLENBQUM7WUFFNUYsSUFBSSxXQUFXLEVBQUUsQ0FBQztnQkFDaEIsS0FBSyxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUMxQixDQUFDO1FBQ0gsQ0FBQyxRQUFRLFdBQVcsRUFBRTtRQUV0QixPQUFPLEtBQUssQ0FBQztJQUNmLENBQUM7SUFFRCxNQUFNLENBQUMsdUJBQXVCLENBQzVCLFFBQTRFO1FBRTVFLE1BQU0sUUFBUSxHQUNaLE9BQU8sUUFBUSxLQUFLLFFBQVEsSUFBSSxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxPQUFPLElBQUksS0FBSyxRQUFRLENBQUM7WUFDaEYsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxRQUE2QixDQUFDO1lBQzlELENBQUMsQ0FBRSxRQUFnQyxDQUFDO1FBRXhDLE1BQU0sdUJBQXVCLEdBQUcsa0JBQWtCLENBQUMsd0JBQXdCLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFdEYsTUFBTSxLQUFLLEdBQUcsdUJBQXVCLENBQUMsTUFBTSxDQUMxQyxDQUFDLFdBQVcsRUFBRSxFQUFFLENBQ2QsQ0FBQyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQ2pELFdBQVcsQ0FBQyxvQkFBb0IsSUFBSSxnQkFBZ0IsQ0FBQyxzQkFBc0I7WUFDekUsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsc0JBQXNCLENBQUM7WUFDbkYsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQ25FLENBQ0osQ0FBQztRQUVGLE1BQU0sTUFBTSxHQUFHLEtBQUs7YUFDakIsR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxRQUFRLENBQUMsQ0FBQzthQUNqRSxJQUFJLENBQUMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMvQyxPQUFPLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUN2QixDQUFDO0lBRUQsTUFBTSxDQUFDLHlCQUF5QixDQUFDLE9BQWU7UUFDOUMsTUFBTSxJQUFJLEdBQUcsSUFBSSxzQkFBZSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzFDLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUM7UUFDakMsT0FBTyxTQUFTLENBQUMsU0FBeUIsQ0FBQztJQUM3QyxDQUFDO0lBRUQsTUFBTSxDQUFDLHdCQUF3QixDQUFDLE1BQWM7UUFDNUMsTUFBTSxHQUFHLEdBQUcsSUFBSSwrQkFBd0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNqRCxNQUFNLFNBQVMsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDO1FBQ2hDLE9BQU8sU0FBUyxDQUFDLFNBQXlCLENBQUM7SUFDN0MsQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQzVCLFFBQTJCLEVBQzNCLEtBQXdCLEVBQ3hCLFVBQWlDLEVBQUU7UUFFbkMsTUFBTSxFQUFFLE9BQU8sRUFBRSxHQUFHLE9BQU8sQ0FBQztRQUU1Qix5RkFBeUY7UUFDekYsTUFBTSx1QkFBdUIsR0FBRyxrQkFBa0IsQ0FBQyx1QkFBdUIsQ0FBQyxRQUFRLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUMvRixNQUFNLFdBQVcsR0FBRyx1QkFBdUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDN0YsTUFBTSxFQUFFLEdBQUcsa0JBQWtCLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRWhELElBQUksQ0FBQztZQUNILE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxNQUFNLGtCQUFTLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBQ3pFLE1BQU0saUJBQWlCLEdBQUcsT0FBTztnQkFDL0IsQ0FBQyxDQUFDLEVBQUU7Z0JBQ0osQ0FBQyxDQUFDLE1BQU0sb0JBQVUsQ0FBQyx3QkFBd0IsQ0FDdkMsdUJBQXVCLEVBQ3ZCLGtCQUFrQixDQUFDLHdCQUF3QixDQUFDLEVBQUUsQ0FBQyxFQUMvQyxnQkFBZ0IsQ0FDakIsQ0FBQztZQUVOLE1BQU0sV0FBVyxHQUFHLElBQUksS0FBSyxDQUFDLGdDQUFnQyxDQUFDO2dCQUM3RCxLQUFLLEVBQUUsV0FBVztnQkFDbEIsWUFBWSxFQUFFLEVBQUU7Z0JBQ2hCLEtBQUssRUFBRSxpQkFBaUI7Z0JBQ3hCLElBQUk7YUFDTCxDQUFDLENBQUM7WUFFSCxNQUFNLFlBQVksR0FBRyxNQUFNLFdBQVcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNoRCxJQUFJLENBQUMsWUFBWSxDQUFDLE1BQU0sRUFBRSxDQUFDO2dCQUN6QixPQUFPO29CQUNMLE9BQU8sRUFBRSxLQUFLO29CQUNkLFlBQVksRUFBRSxZQUFZLENBQUMsYUFBYTtpQkFDekMsQ0FBQztZQUNKLENBQUM7WUFFRDs7Ozs7Ozs7ZUFRRztZQUNILE1BQU0sa0JBQWtCLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQ3BELFlBQVksQ0FBQyxlQUFlLEVBQUUsSUFBSSxDQUFDLENBQUMsWUFBWSxFQUFFLEVBQUUsQ0FDbEQsWUFBWSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUNyRCxDQUNGLENBQUM7WUFDRixJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztnQkFDeEIsTUFBTSxJQUFJLEtBQUssQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO1lBQ2pFLENBQUM7WUFFRCxPQUFPO2dCQUNMLE9BQU8sRUFBRSxJQUFJO2FBQ2QsQ0FBQztRQUNKLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxZQUFZLEVBQUcsR0FBYSxDQUFDLE9BQU87YUFDckMsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRUQsTUFBTSxDQUFDLFVBQVUsQ0FBQyxLQUF3QjtRQUN4QyxNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLGFBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUMxRixPQUFPLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUNoQyxLQUFLLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FDaEUsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLENBQUMsd0JBQXdCLENBQzdCLEtBQXdEO1FBRXhELE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFO1lBQ3hCLElBQUksTUFBTSxJQUFJLElBQUksRUFBRSxDQUFDO2dCQUNuQixPQUFPLElBQThCLENBQUM7WUFDeEMsQ0FBQztZQUVELE1BQU0seUJBQXlCLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQ3JELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLG9CQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyx3QkFBd0IsQ0FBQyxDQUNqRSxFQUFFLFdBQWlELENBQUM7WUFFckQsTUFBTSx1QkFBdUIsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksQ0FDbkQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEtBQUssb0JBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLHNCQUFzQixDQUFDLENBQy9ELEVBQUUsV0FBc0MsQ0FBQztZQUUxQyxPQUFPO2dCQUNMLElBQUk7Z0JBQ0osc0JBQXNCLEVBQUUseUJBQXlCLEVBQUUsYUFBYTtnQkFDaEUsb0JBQW9CLEVBQUUsdUJBQXVCO2FBQzlDLENBQUM7UUFDSixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7O0FBdFBILGdEQXVQQyJ9

package/dist/cjs/certificates/index.d.ts

@@ -0,0 +1,5 @@
+export * from './helper.js';
+export * from './types.js';
+export * from './serializer.js';
+export * from './generator.js';
+export * from './ocsp.js';

package/dist/cjs/certificates/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./helper.js"), exports);
+__exportStar(require("./types.js"), exports);
+__exportStar(require("./serializer.js"), exports);
+__exportStar(require("./generator.js"), exports);
+__exportStar(require("./ocsp.js"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSw4Q0FBNEI7QUFDNUIsNkNBQTJCO0FBQzNCLGtEQUFnQztBQUNoQyxpREFBK0I7QUFDL0IsNENBQTBCIn0=

package/dist/cjs/certificates/ocsp.d.ts

@@ -0,0 +1,14 @@
+import * as pkijs from 'pkijs';
+import { CertWithKeyIdentifiers, GenerateOcspResponseParams, ParsedOcspRequest } from '../index.js';
+export declare class OCSPHelper {
+    static getOCSPResponseFromCerts(certs: CertWithKeyIdentifiers[], ca: CertWithKeyIdentifiers[], oidsToCheck?: string[]): Promise<pkijs.BasicOCSPResponse[]>;
+    static generateOCSPResponse(params: GenerateOcspResponseParams): Promise<ArrayBuffer>;
+    static parseOCSPRequest(ocspRequestBinary: ArrayBuffer): ParsedOcspRequest;
+    private static canCertSignOCSPResponse;
+    private static getOCSPRequestData;
+    private static getOCSPResponse;
+    private static sendOCSPRequest;
+    private static getNonceForRequest;
+    private static getNonceFromResponse;
+    private static getCertExtensionsToCheck;
+}