@super-protocol/swarm-contracts-sdk 0.0.1-beta.1

package/dist/mjs/certificates/generator.js

@@ -0,0 +1,255 @@
+import assert from 'assert';
+import { randomUUID } from 'crypto';
+import forge from 'node-forge';
+import { X509CertificateGenerator, BasicConstraintsExtension, ExtendedKeyUsageExtension, Extension, SubjectAlternativeNameExtension, ExtendedKeyUsage, KeyUsageFlags, KeyUsagesExtension, Pkcs10CertificateRequestGenerator, Pkcs10CertificateRequest, X509Certificate, AuthorityInfoAccessExtension, AuthorityKeyIdentifierExtension, SubjectKeyIdentifierExtension, } from '@peculiar/x509';
+import { cryptoProvider } from './setup-crypto.js';
+import { CryptoKeysTransformer } from '../utils/CryptoKeysTransformer.js';
+import { isIpAddress } from '../utils/helper.js';
+const MAX_X509_SERIAL = BigInt('0x' + 'F'.repeat(40));
+const ONE_HOUR_MS = 60 * 60 * 1000; // 1 hour in milliseconds
+const principalAttributeMap = {
+    commonName: 'CN',
+    country: 'C',
+    localityName: 'L',
+    stateName: 'ST',
+    organization: 'O',
+    organizationalUnit: 'OU',
+};
+const notAllowedCertificateCustomExtensions = [...Object.values(forge.pki.oids)];
+export class CertificateGenerator {
+    /**
+     * Generates certificate based on the provided parameters.
+     * @param params - Parameters for generating the certificate.
+     * @returns The generated certificate in PEM format.
+     */
+    static async generateCert(params) {
+        const ca = Boolean(params.ca);
+        const { publicKey: subjectPublicKey, privateKey: signerPrivateKey } = await CertificateGenerator.getCryptoKeys(params);
+        const signingAlgorithm = subjectPublicKey.algorithm;
+        const extensions = [new BasicConstraintsExtension(ca, undefined, true)];
+        const extendedKeyUsageItems = [];
+        if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
+            const generalNames = params.dnsNames.map((dnsName) => ({
+                type: (isIpAddress(dnsName) ? 'ip' : 'dns'),
+                value: dnsName,
+            }));
+            extensions.push(new SubjectAlternativeNameExtension(generalNames));
+            extendedKeyUsageItems.push(...[ExtendedKeyUsage.serverAuth, ExtendedKeyUsage.clientAuth]);
+        }
+        if (params.ocspSigning) {
+            extendedKeyUsageItems.push(ExtendedKeyUsage.ocspSigning);
+        }
+        if (params.ocspExtension) {
+            const { ocspUrl, issuerCertUrl } = params.ocspExtension;
+            extensions.push(new AuthorityInfoAccessExtension({
+                ocsp: [ocspUrl],
+                ...(issuerCertUrl ? { caIssuers: [issuerCertUrl] } : {}),
+            }));
+        }
+        if (extendedKeyUsageItems.length) {
+            extensions.push(new ExtendedKeyUsageExtension(extendedKeyUsageItems, false));
+        }
+        let keyUsageFlags = KeyUsageFlags.digitalSignature | KeyUsageFlags.keyEncipherment;
+        if (params.ca) {
+            keyUsageFlags |= KeyUsageFlags.keyCertSign;
+        }
+        extensions.push(new KeyUsagesExtension(keyUsageFlags, true));
+        const signerPublicKey = await CryptoKeysTransformer.cryptoPublicFromCryptoPrivate(signerPrivateKey);
+        extensions.push(...[
+            await AuthorityKeyIdentifierExtension.create(signerPublicKey),
+            await SubjectKeyIdentifierExtension.create(subjectPublicKey),
+        ]);
+        if (params.customExtensions?.length) {
+            const filteredExtensions = params.customExtensions.filter((ext) => !notAllowedCertificateCustomExtensions.includes(ext.oid));
+            for (const customExtension of filteredExtensions) {
+                if (!customExtension.oid || !customExtension.value) {
+                    throw new Error('Custom extension OID and value are required');
+                }
+                extensions.push(new Extension(customExtension.oid, false, customExtension.value));
+            }
+        }
+        const createCertificateParams = {
+            serialNumber: CertificateGenerator.generateSerialNumber(),
+            issuer: CertificateGenerator.getPrincipalInfo(params.issuer),
+            subject: CertificateGenerator.getPrincipalInfo(params.subject),
+            notBefore: new Date(Date.now() - ONE_HOUR_MS), //1 hour ago to avoid clock skew issues between servers
+            notAfter: params.notAfter,
+            publicKey: subjectPublicKey,
+            signingKey: signerPrivateKey,
+            signingAlgorithm,
+            extensions,
+        };
+        const cert = await X509CertificateGenerator.create(createCertificateParams);
+        return cert.toString('pem');
+    }
+    /**
+     * Generates a pair of cryptographic keys based on the specified signature algorithm.
+     * @param signatureAlgorithm - The algorithm to use for key generation.
+     * @returns A promise that resolves to a CryptoKeyPair containing the public and private keys.
+     */
+    static generateKeys(signatureAlgorithm) {
+        const algorithm = CertificateGenerator.getAlgorithm(signatureAlgorithm);
+        return cryptoProvider.subtle.generateKey(algorithm, true, ['sign', 'verify']);
+    }
+    /**
+     * Generates a Certificate Signing Request (CSR) based on the provided parameters.
+     * @param params - Parameters for generating the CSR.
+     * @returns The generated CSR in PEM format.
+     */
+    static async generateCsr(params) {
+        const keys = await CertificateGenerator.getCryptoKeys(params);
+        const signingAlgorithm = keys.publicKey.algorithm;
+        signingAlgorithm.hash = { name: 'SHA-256' };
+        const extensions = [];
+        if (signingAlgorithm.namedCurve !== 'K-256' && params.dnsNames?.length) {
+            const generalNames = params.dnsNames.map((dnsName) => ({
+                type: (isIpAddress(dnsName) ? 'ip' : 'dns'),
+                value: dnsName,
+            }));
+            extensions.push(new SubjectAlternativeNameExtension(generalNames));
+        }
+        if (params.customExtensions?.length) {
+            for (const customExtension of params.customExtensions) {
+                if (!customExtension.oid || !customExtension.value) {
+                    throw new Error(`Some custom extension missed OID or value`);
+                }
+                extensions.push(new Extension(customExtension.oid, false, customExtension.value));
+            }
+        }
+        const createCsrParams = {
+            name: CertificateGenerator.getPrincipalInfo(params.subject),
+            keys,
+            signingAlgorithm,
+            extensions,
+        };
+        const csr = await Pkcs10CertificateRequestGenerator.create(createCsrParams);
+        return csr.toString('pem');
+    }
+    /**
+     * Checks and parses a certificate in PEM format.
+     * @param certPem - The certificate in PEM format.
+     * @returns An object containing the parsed certificate details.
+     */
+    static async checkAndParseCert(certPem) {
+        const cert = new X509Certificate(certPem);
+        if (cert.issuer === cert.subject) {
+            const isValid = await cert.verify();
+            if (!isValid) {
+                throw new Error('Self-signed certificate signature verification failed');
+            }
+        }
+        const publicKey = await cryptoProvider.subtle.importKey('spki', cert.publicKey.rawData, Object.assign(cert.signatureAlgorithm, cert.publicKey.algorithm), true, ['verify']);
+        const authorityKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof AuthorityKeyIdentifierExtension);
+        const authorityKeyIdentifier = authorityKeyIdentifierExt?.keyId;
+        const subjectKeyIdentifierExt = cert.extensions.find((ext) => ext instanceof SubjectKeyIdentifierExtension);
+        const subjectKeyIdentifier = subjectKeyIdentifierExt?.keyId;
+        return {
+            serialNumberHex: cert.serialNumber,
+            publicKey,
+            subject: cert.subject,
+            issuer: cert.issuer,
+            notBefore: cert.notBefore,
+            notAfter: cert.notAfter,
+            dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(cert.extensions),
+            authorityKeyIdentifier,
+            subjectKeyIdentifier,
+            extensions: cert.extensions
+                .filter((ext) => ext.type !== forge.pki.oids['subjectAltName'])
+                .map((ext) => ({
+                oid: ext.type,
+                value: Buffer.from(ext.value),
+            })),
+        };
+    }
+    /**
+     * Checks and parses a Certificate Signing Request (CSR) in PEM format.
+     * @param csrPem - The CSR in PEM format.
+     * @returns An object containing the parsed CSR details.
+     */
+    static async checkAndParseCsr(csrPem) {
+        const csr = new Pkcs10CertificateRequest(csrPem);
+        const isValid = await csr.verify();
+        if (!isValid) {
+            throw new Error('CSR signature verification failed');
+        }
+        const publicKey = await cryptoProvider.subtle.importKey('spki', csr.publicKey.rawData, Object.assign(csr.signatureAlgorithm, csr.publicKey.algorithm), true, ['verify']);
+        const parsedCsr = {
+            subject: csr.subject,
+            publicKey,
+            dnsNames: CertificateGenerator.extractDnsNamesFromExtensions(csr.extensions),
+            extensions: csr.extensions
+                .filter((ext) => ext.type !== forge.pki.oids['subjectAltName'])
+                .map((ext) => ({
+                oid: ext.type,
+                value: Buffer.from(ext.value),
+            })),
+        };
+        return parsedCsr;
+    }
+    static async getCryptoKeys({ privateKey, publicKey }) {
+        const [pubKey, privKey] = await Promise.all([
+            typeof publicKey === 'string'
+                ? CryptoKeysTransformer.spkiPemToCryptoKey(publicKey)
+                : publicKey,
+            typeof privateKey === 'string'
+                ? CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey)
+                : privateKey,
+        ]);
+        assert.deepEqual(pubKey.algorithm, privKey.algorithm, 'Both keys must have same algorithm defined');
+        return { publicKey: pubKey, privateKey: privKey };
+    }
+    static generateSerialNumber() {
+        const uuid = randomUUID().replace(/-/g, '');
+        let serial = BigInt('0x' + uuid) % MAX_X509_SERIAL;
+        // Ensure the serial number is positive in ASN1
+        // 89abcdefABCDEF - set of all hex symbols that have 1 as first bit
+        const serialHex = serial.toString(16);
+        if (serialHex[0] && '89abcdefABCDEF'.includes(serialHex[0])) {
+            serial = serial >> 1n;
+        }
+        return serial.toString(16);
+    }
+    static getPrincipalInfo(principal) {
+        if (typeof principal === 'string') {
+            return principal;
+        }
+        if (!principal.commonName) {
+            throw new Error('Common name is required');
+        }
+        return Object.entries(principal)
+            .map(([key, value]) => `${principalAttributeMap[key] || key}=${value}`)
+            .join(',');
+    }
+    static getAlgorithm(signatureAlgorithm) {
+        switch (signatureAlgorithm) {
+            case 'RSASSA-PKCS1-SHA256':
+                return {
+                    name: 'RSASSA-PKCS1-v1_5',
+                    hash: 'SHA-256',
+                    publicExponent: new Uint8Array([1, 0, 1]), // 65537
+                    modulusLength: 2048,
+                };
+            case 'ECDSA-P-256-SHA256':
+                return {
+                    name: 'ECDSA',
+                    namedCurve: 'P-256',
+                };
+            case 'ECDSA-secp256k1-SHA256':
+                return {
+                    name: 'ECDSA',
+                    namedCurve: 'K-256',
+                };
+            default:
+                throw new Error(`Unsupported signature algorithm: ${signatureAlgorithm}`);
+        }
+    }
+    static extractDnsNamesFromExtensions(extensions) {
+        const subjectAltNameExt = extensions.find((ext) => ext.type === forge.pki.oids['subjectAltName']);
+        if (!subjectAltNameExt) {
+            return;
+        }
+        const dnsNames = subjectAltNameExt.names.items.map((item) => item.value);
+        return dnsNames;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9nZW5lcmF0b3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQzVCLE9BQU8sRUFBRSxVQUFVLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFDcEMsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sRUFFTCx3QkFBd0IsRUFDeEIseUJBQXlCLEVBQ3pCLHlCQUF5QixFQUN6QixTQUFTLEVBQ1QsK0JBQStCLEVBRy9CLGdCQUFnQixFQUNoQixhQUFhLEVBQ2Isa0JBQWtCLEVBQ2xCLGlDQUFpQyxFQUVqQyx3QkFBd0IsRUFDeEIsZUFBZSxFQUNmLDRCQUE0QixFQUM1QiwrQkFBK0IsRUFDL0IsNkJBQTZCLEdBQzlCLE1BQU0sZ0JBQWdCLENBQUM7QUFXeEIsT0FBTyxFQUFFLGNBQWMsRUFBRSxNQUFNLG1CQUFtQixDQUFDO0FBQ25ELE9BQU8sRUFBRSxxQkFBcUIsRUFBRSxNQUFNLG1DQUFtQyxDQUFDO0FBQzFFLE9BQU8sRUFBRSxXQUFXLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQztBQUVqRCxNQUFNLGVBQWUsR0FBRyxNQUFNLENBQUMsSUFBSSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUV0RCxNQUFNLFdBQVcsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDLHlCQUF5QjtBQUU3RCxNQUFNLHFCQUFxQixHQUEyQjtJQUNwRCxVQUFVLEVBQUUsSUFBSTtJQUNoQixPQUFPLEVBQUUsR0FBRztJQUNaLFlBQVksRUFBRSxHQUFHO0lBQ2pCLFNBQVMsRUFBRSxJQUFJO0lBQ2YsWUFBWSxFQUFFLEdBQUc7SUFDakIsa0JBQWtCLEVBQUUsSUFBSTtDQUN6QixDQUFDO0FBRUYsTUFBTSxxQ0FBcUMsR0FBRyxDQUFDLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7QUFFakYsTUFBTSxPQUFPLG9CQUFvQjtJQUMvQjs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLEtBQUssQ0FBQyxZQUFZLENBQUMsTUFBMEI7UUFDbEQsTUFBTSxFQUFFLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUU5QixNQUFNLEVBQUUsU0FBUyxFQUFFLGdCQUFnQixFQUFFLFVBQVUsRUFBRSxnQkFBZ0IsRUFBRSxHQUNqRSxNQUFNLG9CQUFvQixDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNuRCxNQUFNLGdCQUFnQixHQUFHLGdCQUFnQixDQUFDLFNBQXlCLENBQUM7UUFFcEUsTUFBTSxVQUFVLEdBQWdCLENBQUMsSUFBSSx5QkFBeUIsQ0FBQyxFQUFFLEVBQUUsU0FBUyxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUM7UUFFckYsTUFBTSxxQkFBcUIsR0FBdUIsRUFBRSxDQUFDO1FBRXJELElBQUksZ0JBQWdCLENBQUMsVUFBVSxLQUFLLE9BQU8sSUFBSSxNQUFNLENBQUMsUUFBUSxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3ZFLE1BQU0sWUFBWSxHQUFxQixNQUFNLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDdkUsSUFBSSxFQUFFLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBb0I7Z0JBQzlELEtBQUssRUFBRSxPQUFPO2FBQ2YsQ0FBQyxDQUFDLENBQUM7WUFDSixVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksK0JBQStCLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQztZQUVuRSxxQkFBcUIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLGdCQUFnQixDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDO1FBQzVGLENBQUM7UUFFRCxJQUFJLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUN2QixxQkFBcUIsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDM0QsQ0FBQztRQUVELElBQUksTUFBTSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ3pCLE1BQU0sRUFBRSxPQUFPLEVBQUUsYUFBYSxFQUFFLEdBQUcsTUFBTSxDQUFDLGFBQWEsQ0FBQztZQUN4RCxVQUFVLENBQUMsSUFBSSxDQUNiLElBQUksNEJBQTRCLENBQUM7Z0JBQy9CLElBQUksRUFBRSxDQUFDLE9BQU8sQ0FBQztnQkFDZixHQUFHLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQyxFQUFFLFNBQVMsRUFBRSxDQUFDLGFBQWEsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQzthQUN6RCxDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxJQUFJLHFCQUFxQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2pDLFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSx5QkFBeUIsQ0FBQyxxQkFBcUIsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDO1FBQy9FLENBQUM7UUFFRCxJQUFJLGFBQWEsR0FBRyxhQUFhLENBQUMsZ0JBQWdCLEdBQUcsYUFBYSxDQUFDLGVBQWUsQ0FBQztRQUNuRixJQUFJLE1BQU0sQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNkLGFBQWEsSUFBSSxhQUFhLENBQUMsV0FBVyxDQUFDO1FBQzdDLENBQUM7UUFDRCxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksa0JBQWtCLENBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUM7UUFFN0QsTUFBTSxlQUFlLEdBQ25CLE1BQU0scUJBQXFCLENBQUMsNkJBQTZCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUM5RSxVQUFVLENBQUMsSUFBSSxDQUNiLEdBQUc7WUFDRCxNQUFNLCtCQUErQixDQUFDLE1BQU0sQ0FBQyxlQUFlLENBQUM7WUFDN0QsTUFBTSw2QkFBNkIsQ0FBQyxNQUFNLENBQUMsZ0JBQWdCLENBQUM7U0FDN0QsQ0FDRixDQUFDO1FBRUYsSUFBSSxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDcEMsTUFBTSxrQkFBa0IsR0FBRyxNQUFNLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxDQUN2RCxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQyxxQ0FBcUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUNsRSxDQUFDO1lBQ0YsS0FBSyxNQUFNLGVBQWUsSUFBSSxrQkFBa0IsRUFBRSxDQUFDO2dCQUNqRCxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsSUFBSSxDQUFDLGVBQWUsQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDbkQsTUFBTSxJQUFJLEtBQUssQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO2dCQUNqRSxDQUFDO2dCQUNELFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSxTQUFTLENBQUMsZUFBZSxDQUFDLEdBQUcsRUFBRSxLQUFLLEVBQUUsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUM7WUFDcEYsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLHVCQUF1QixHQUFnQztZQUMzRCxZQUFZLEVBQUUsb0JBQW9CLENBQUMsb0JBQW9CLEVBQUU7WUFDekQsTUFBTSxFQUFFLG9CQUFvQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUM7WUFDNUQsT0FBTyxFQUFFLG9CQUFvQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUM7WUFDOUQsU0FBUyxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxXQUFXLENBQUMsRUFBRSx1REFBdUQ7WUFDdEcsUUFBUSxFQUFFLE1BQU0sQ0FBQyxRQUFRO1lBQ3pCLFNBQVMsRUFBRSxnQkFBZ0I7WUFDM0IsVUFBVSxFQUFFLGdCQUFnQjtZQUM1QixnQkFBZ0I7WUFDaEIsVUFBVTtTQUNYLENBQUM7UUFFRixNQUFNLElBQUksR0FBRyxNQUFNLHdCQUF3QixDQUFDLE1BQU0sQ0FBQyx1QkFBdUIsQ0FBQyxDQUFDO1FBRTVFLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM5QixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxZQUFZLENBQUMsa0JBQXNDO1FBQ3hELE1BQU0sU0FBUyxHQUFHLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1FBQ3hFLE9BQU8sY0FBYyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsU0FBUyxFQUFFLElBQUksRUFBRSxDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQyxDQUFDO0lBQ2hGLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsTUFBTSxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQUMsTUFBeUI7UUFDaEQsTUFBTSxJQUFJLEdBQUcsTUFBTSxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDOUQsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQXlCLENBQUM7UUFDbEUsZ0JBQWdCLENBQUMsSUFBSSxHQUFHLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxDQUFDO1FBRTVDLE1BQU0sVUFBVSxHQUFnQixFQUFFLENBQUM7UUFFbkMsSUFBSSxnQkFBZ0IsQ0FBQyxVQUFVLEtBQUssT0FBTyxJQUFJLE1BQU0sQ0FBQyxRQUFRLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDdkUsTUFBTSxZQUFZLEdBQXFCLE1BQU0sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUN2RSxJQUFJLEVBQUUsQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFvQjtnQkFDOUQsS0FBSyxFQUFFLE9BQU87YUFDZixDQUFDLENBQUMsQ0FBQztZQUNKLFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSwrQkFBK0IsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDO1FBQ3JFLENBQUM7UUFFRCxJQUFJLE1BQU0sQ0FBQyxnQkFBZ0IsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUNwQyxLQUFLLE1BQU0sZUFBZSxJQUFJLE1BQU0sQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO2dCQUN0RCxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsSUFBSSxDQUFDLGVBQWUsQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDbkQsTUFBTSxJQUFJLEtBQUssQ0FBQywyQ0FBMkMsQ0FBQyxDQUFDO2dCQUMvRCxDQUFDO2dCQUNELFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSxTQUFTLENBQUMsZUFBZSxDQUFDLEdBQUcsRUFBRSxLQUFLLEVBQUUsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUM7WUFDcEYsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLGVBQWUsR0FBeUM7WUFDNUQsSUFBSSxFQUFFLG9CQUFvQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUM7WUFDM0QsSUFBSTtZQUNKLGdCQUFnQjtZQUNoQixVQUFVO1NBQ1gsQ0FBQztRQUVGLE1BQU0sR0FBRyxHQUFHLE1BQU0saUNBQWlDLENBQUMsTUFBTSxDQUFDLGVBQWUsQ0FBQyxDQUFDO1FBRTVFLE9BQU8sR0FBRyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQUMsT0FBZTtRQUM1QyxNQUFNLElBQUksR0FBRyxJQUFJLGVBQWUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUUxQyxJQUFJLElBQUksQ0FBQyxNQUFNLEtBQUssSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2pDLE1BQU0sT0FBTyxHQUFHLE1BQU0sSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDYixNQUFNLElBQUksS0FBSyxDQUFDLHVEQUF1RCxDQUFDLENBQUM7WUFDM0UsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxNQUFNLGNBQWMsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUNyRCxNQUFNLEVBQ04sSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQ3RCLE1BQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLGtCQUFrQixFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLEVBQ2hFLElBQUksRUFDSixDQUFDLFFBQVEsQ0FBQyxDQUNYLENBQUM7UUFFRixNQUFNLHlCQUF5QixHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUNwRCxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxZQUFZLCtCQUErQixDQUNULENBQUM7UUFDakQsTUFBTSxzQkFBc0IsR0FBRyx5QkFBeUIsRUFBRSxLQUFLLENBQUM7UUFFaEUsTUFBTSx1QkFBdUIsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FDbEQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsWUFBWSw2QkFBNkIsQ0FDVCxDQUFDO1FBQy9DLE1BQU0sb0JBQW9CLEdBQUcsdUJBQXVCLEVBQUUsS0FBSyxDQUFDO1FBRTVELE9BQU87WUFDTCxlQUFlLEVBQUUsSUFBSSxDQUFDLFlBQVk7WUFDbEMsU0FBUztZQUNULE9BQU8sRUFBRSxJQUFJLENBQUMsT0FBTztZQUNyQixNQUFNLEVBQUUsSUFBSSxDQUFDLE1BQU07WUFDbkIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTO1lBQ3pCLFFBQVEsRUFBRSxJQUFJLENBQUMsUUFBUTtZQUN2QixRQUFRLEVBQUUsb0JBQW9CLENBQUMsNkJBQTZCLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQztZQUM3RSxzQkFBc0I7WUFDdEIsb0JBQW9CO1lBQ3BCLFVBQVUsRUFBRSxJQUFJLENBQUMsVUFBVTtpQkFDeEIsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7aUJBQzlELEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDYixHQUFHLEVBQUUsR0FBRyxDQUFDLElBQUk7Z0JBQ2IsS0FBSyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQzthQUM5QixDQUFDLENBQUM7U0FDTixDQUFDO0lBQ0osQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxNQUFNLENBQUMsS0FBSyxDQUFDLGdCQUFnQixDQUFDLE1BQWM7UUFDMUMsTUFBTSxHQUFHLEdBQUcsSUFBSSx3QkFBd0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUVqRCxNQUFNLE9BQU8sR0FBRyxNQUFNLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNuQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDYixNQUFNLElBQUksS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7UUFDdkQsQ0FBQztRQUVELE1BQU0sU0FBUyxHQUFHLE1BQU0sY0FBYyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3JELE1BQU0sRUFDTixHQUFHLENBQUMsU0FBUyxDQUFDLE9BQU8sRUFDckIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsa0JBQWtCLEVBQUUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsRUFDOUQsSUFBSSxFQUNKLENBQUMsUUFBUSxDQUFDLENBQ1gsQ0FBQztRQUVGLE1BQU0sU0FBUyxHQUFjO1lBQzNCLE9BQU8sRUFBRSxHQUFHLENBQUMsT0FBTztZQUNwQixTQUFTO1lBQ1QsUUFBUSxFQUFFLG9CQUFvQixDQUFDLDZCQUE2QixDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUM7WUFDNUUsVUFBVSxFQUFFLEdBQUcsQ0FBQyxVQUFVO2lCQUN2QixNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEtBQUssS0FBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztpQkFDOUQsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUNiLEdBQUcsRUFBRSxHQUFHLENBQUMsSUFBSTtnQkFDYixLQUFLLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDO2FBQzlCLENBQUMsQ0FBQztTQUNOLENBQUM7UUFFRixPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxhQUFhLENBQUMsRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFtQjtRQUkzRSxNQUFNLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztZQUMxQyxPQUFPLFNBQVMsS0FBSyxRQUFRO2dCQUMzQixDQUFDLENBQUMscUJBQXFCLENBQUMsa0JBQWtCLENBQUMsU0FBUyxDQUFDO2dCQUNyRCxDQUFDLENBQUMsU0FBUztZQUNiLE9BQU8sVUFBVSxLQUFLLFFBQVE7Z0JBQzVCLENBQUMsQ0FBQyxxQkFBcUIsQ0FBQyxtQkFBbUIsQ0FBQyxVQUFVLENBQUM7Z0JBQ3ZELENBQUMsQ0FBQyxVQUFVO1NBQ2YsQ0FBQyxDQUFDO1FBRUgsTUFBTSxDQUFDLFNBQVMsQ0FDZCxNQUFNLENBQUMsU0FBUyxFQUNoQixPQUFPLENBQUMsU0FBUyxFQUNqQiw0Q0FBNEMsQ0FDN0MsQ0FBQztRQUVGLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxPQUFPLEVBQUUsQ0FBQztJQUNwRCxDQUFDO0lBRU8sTUFBTSxDQUFDLG9CQUFvQjtRQUNqQyxNQUFNLElBQUksR0FBRyxVQUFVLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQzVDLElBQUksTUFBTSxHQUFHLE1BQU0sQ0FBQyxJQUFJLEdBQUcsSUFBSSxDQUFDLEdBQUcsZUFBZSxDQUFDO1FBRW5ELCtDQUErQztRQUMvQyxtRUFBbUU7UUFDbkUsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUN0QyxJQUFJLFNBQVMsQ0FBQyxDQUFDLENBQUMsSUFBSSxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQztZQUM1RCxNQUFNLEdBQUcsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUN4QixDQUFDO1FBRUQsT0FBTyxNQUFNLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQzdCLENBQUM7SUFFTyxNQUFNLENBQUMsZ0JBQWdCLENBQUMsU0FBd0M7UUFDdEUsSUFBSSxPQUFPLFNBQVMsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUNsQyxPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO1FBRUQsSUFBSSxDQUFDLFNBQVMsQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUMxQixNQUFNLElBQUksS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUM7UUFDN0MsQ0FBQztRQUVELE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUM7YUFDN0IsR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLEVBQUUsRUFBRSxDQUFDLEdBQUcscUJBQXFCLENBQUMsR0FBRyxDQUFDLElBQUksR0FBRyxJQUFJLEtBQUssRUFBRSxDQUFDO2FBQ3RFLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNmLENBQUM7SUFFTyxNQUFNLENBQUMsWUFBWSxDQUFDLGtCQUEwQjtRQUNwRCxRQUFRLGtCQUFrQixFQUFFLENBQUM7WUFDM0IsS0FBSyxxQkFBcUI7Z0JBQ3hCLE9BQU87b0JBQ0wsSUFBSSxFQUFFLG1CQUFtQjtvQkFDekIsSUFBSSxFQUFFLFNBQVM7b0JBQ2YsY0FBYyxFQUFFLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLFFBQVE7b0JBQ25ELGFBQWEsRUFBRSxJQUFJO2lCQUNwQixDQUFDO1lBQ0osS0FBSyxvQkFBb0I7Z0JBQ3ZCLE9BQU87b0JBQ0wsSUFBSSxFQUFFLE9BQU87b0JBQ2IsVUFBVSxFQUFFLE9BQU87aUJBQ3BCLENBQUM7WUFDSixLQUFLLHdCQUF3QjtnQkFDM0IsT0FBTztvQkFDTCxJQUFJLEVBQUUsT0FBTztvQkFDYixVQUFVLEVBQUUsT0FBTztpQkFDcEIsQ0FBQztZQUNKO2dCQUNFLE1BQU0sSUFBSSxLQUFLLENBQUMsb0NBQW9DLGtCQUFrQixFQUFFLENBQUMsQ0FBQztRQUM5RSxDQUFDO0lBQ0gsQ0FBQztJQUVPLE1BQU0sQ0FBQyw2QkFBNkIsQ0FBQyxVQUF1QjtRQUNsRSxNQUFNLGlCQUFpQixHQUFHLFVBQVUsQ0FBQyxJQUFJLENBQ3ZDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQ1IsQ0FBQztRQUNqRCxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUN2QixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDekUsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQztDQUNGIn0=

package/dist/mjs/certificates/helper.d.ts

@@ -0,0 +1,29 @@
+/// <reference types="node" />
+import * as pkijs from 'pkijs';
+import { AlgorithmObj, CertWithKeyIdentifiers, ValidateCertChainResult } from './types.js';
+import './setup-crypto.js';
+export declare class CertificatesHelper {
+    private static downloadedCertificateCache;
+    static derToPem(data: ArrayBuffer, type?: string): string;
+    static pemToDer(certPem: string): Uint8Array;
+    static splitPemCerts(certs: string): string[];
+    static getDomain(certPem: string): string | undefined;
+    static getExtensionValue(certParam: string | pkijs.Certificate, oid: string): Buffer | undefined;
+    static extractCAFromChain(certsPem: string): {
+        certs: string;
+        ca: string;
+    };
+    static getIssuer(certWithKeyIdent: CertWithKeyIdentifiers, potentialIssuersWithKeyIdent: CertWithKeyIdentifiers[]): CertWithKeyIdentifiers | undefined;
+    static pemChainToDer(certsPem: string): Uint8Array[];
+    static derChainToPem(certsDer: Uint8Array[]): string;
+    static downloadCertWithCache(url: string): Promise<Buffer>;
+    static buildChain(leaf: pkijs.Certificate | CertWithKeyIdentifiers, potentialIssuers: pkijs.Certificate[] | CertWithKeyIdentifiers[]): CertWithKeyIdentifiers[];
+    static sortCertsFromLeafToRoot(certsPem: string | string[] | pkijs.Certificate[] | CertWithKeyIdentifiers[]): CertWithKeyIdentifiers[];
+    static getCertPublicKeyAlgorithm(certPem: string): AlgorithmObj;
+    static getCsrPublicKeyAlgorithm(csrPem: string): AlgorithmObj;
+    static validateCertChain(certsPem: string | string[], caPem: string | string[], options?: {
+        offline?: boolean;
+    }): Promise<ValidateCertChainResult>;
+    static toPkiCerts(certs: string | string[]): pkijs.Certificate[];
+    static addKeyIdentifiersToCerts(certs: Array<pkijs.Certificate | CertWithKeyIdentifiers>): CertWithKeyIdentifiers[];
+}

package/dist/mjs/certificates/helper.js

@@ -0,0 +1,186 @@
+import _ from 'lodash';
+import axios from 'axios';
+import forge from 'node-forge';
+import * as pkijs from 'pkijs';
+import { Pkcs10CertificateRequest, X509Certificate } from '@peculiar/x509';
+import { createMemoryCache } from '../utils/cache/memory.js';
+import { OCSPHelper } from './ocsp.js';
+import { CRLHelper } from './crl.js';
+import './setup-crypto.js';
+import { OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, OID_CUSTOM_EXTENSION_CHALLENGE_ID, OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU, } from '@super-protocol/pki-common';
+const oidsForOcspCheck = [
+    OID_CUSTOM_EXTENSION_CHALLENGE_ID,
+    OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID,
+    OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU,
+    OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID,
+];
+export class CertificatesHelper {
+    static downloadedCertificateCache = createMemoryCache();
+    static derToPem(data, type = 'CERTIFICATE') {
+        return forge.pem.encode({
+            contentDomain: null,
+            dekInfo: null,
+            headers: [],
+            procType: null,
+            type,
+            body: Buffer.from(data).toString('binary'),
+        });
+    }
+    static pemToDer(certPem) {
+        return Buffer.from(forge.pki.pemToDer(certPem).bytes(), 'binary');
+    }
+    static splitPemCerts(certs) {
+        const pemRegex = /(-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----)/g;
+        return certs.match(pemRegex) || [];
+    }
+    static getDomain(certPem) {
+        const cert = forge.pki.certificateFromPem(certPem);
+        return cert.subject.attributes.find((attribute) => attribute.name === 'commonName')
+            ?.value;
+    }
+    static getExtensionValue(certParam, oid) {
+        const cert = typeof certParam === 'string'
+            ? pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certParam))
+            : certParam;
+        const extension = cert.extensions?.find((ext) => ext.extnID === oid);
+        return extension && Buffer.from(extension.extnValue.valueBlock.toBER());
+    }
+    static extractCAFromChain(certsPem) {
+        const certs = CertificatesHelper.toPkiCerts(certsPem);
+        const splitCerts = _.partition(certs, (cert) => !cert.issuer.isEqual(cert.subject));
+        const toPemChain = (certs) => certs.map((cert) => CertificatesHelper.derToPem(cert.toSchema().toBER())).join('\n');
+        return {
+            certs: toPemChain(splitCerts[0]),
+            ca: toPemChain(splitCerts[1]),
+        };
+    }
+    static getIssuer(certWithKeyIdent, potentialIssuersWithKeyIdent) {
+        return potentialIssuersWithKeyIdent.find((potentialIssuer) => (certWithKeyIdent?.authorityKeyIdentifier && potentialIssuer.subjectKeyIdentifier
+            ? certWithKeyIdent.authorityKeyIdentifier.isEqual(potentialIssuer.subjectKeyIdentifier)
+            : certWithKeyIdent?.cert.issuer.isEqual(potentialIssuer.cert.subject)) &&
+            !certWithKeyIdent?.cert.subject.isEqual(certWithKeyIdent?.cert.issuer));
+    }
+    static pemChainToDer(certsPem) {
+        const certs = CertificatesHelper.splitPemCerts(certsPem);
+        return certs.map((certPem) => CertificatesHelper.pemToDer(certPem));
+    }
+    static derChainToPem(certsDer) {
+        return certsDer
+            .map((cert) => CertificatesHelper.derToPem(cert))
+            .join('')
+            .trim();
+    }
+    static async downloadCertWithCache(url) {
+        const responseData = await CertificatesHelper.downloadedCertificateCache.wrap(url, async () => {
+            const response = await axios(url, {
+                responseType: 'arraybuffer',
+            });
+            return response?.data;
+        }, {
+            ttl: 5 * 60 * 1000, //5 min
+        });
+        return responseData;
+    }
+    static buildChain(leaf, potentialIssuers) {
+        const chain = CertificatesHelper.addKeyIdentifiersToCerts([leaf]);
+        const potentialIssuersWithKeyIdentifiers = CertificatesHelper.addKeyIdentifiersToCerts(potentialIssuers);
+        let currentCert = chain[0];
+        do {
+            currentCert = CertificatesHelper.getIssuer(currentCert, potentialIssuersWithKeyIdentifiers);
+            if (currentCert) {
+                chain.push(currentCert);
+            }
+        } while (currentCert);
+        return chain;
+    }
+    static sortCertsFromLeafToRoot(certsPem) {
+        const allCerts = typeof certsPem === 'string' || certsPem.every((cert) => typeof cert === 'string')
+            ? CertificatesHelper.toPkiCerts(certsPem)
+            : certsPem;
+        const certsWithKeyIdentifiers = CertificatesHelper.addKeyIdentifiersToCerts(allCerts);
+        const leafs = certsWithKeyIdentifiers.filter((certToCheck) => !certsWithKeyIdentifiers.some((certsToCheckWith) => certToCheck.subjectKeyIdentifier && certsToCheckWith.authorityKeyIdentifier
+            ? certToCheck.subjectKeyIdentifier.isEqual(certsToCheckWith.authorityKeyIdentifier)
+            : certToCheck.cert.subject.isEqual(certsToCheckWith.cert.issuer)));
+        const chains = leafs
+            .map((leaf) => CertificatesHelper.buildChain(leaf.cert, allCerts))
+            .sort((one, two) => two.length - one.length);
+        return chains.flat();
+    }
+    static getCertPublicKeyAlgorithm(certPem) {
+        const cert = new X509Certificate(certPem);
+        const publicKey = cert.publicKey;
+        return publicKey.algorithm;
+    }
+    static getCsrPublicKeyAlgorithm(csrPem) {
+        const csr = new Pkcs10CertificateRequest(csrPem);
+        const publicKey = csr.publicKey;
+        return publicKey.algorithm;
+    }
+    static async validateCertChain(certsPem, caPem, options = {}) {
+        const { offline } = options;
+        // reverse() is needed because pkijs expects certificates to be ordered from root to leaf
+        const sortedCertsWithKeyIdent = CertificatesHelper.sortCertsFromLeafToRoot(certsPem).reverse();
+        const sortedCerts = sortedCertsWithKeyIdent.map((certWithKeyIdent) => certWithKeyIdent.cert);
+        const ca = CertificatesHelper.toPkiCerts(caPem);
+        try {
+            const crls = offline ? [] : await CRLHelper.getCRLFromCerts(sortedCerts);
+            const ocspBaseResponses = offline
+                ? []
+                : await OCSPHelper.getOCSPResponseFromCerts(sortedCertsWithKeyIdent, CertificatesHelper.addKeyIdentifiersToCerts(ca), oidsForOcspCheck);
+            const chainEngine = new pkijs.CertificateChainValidationEngine({
+                certs: sortedCerts,
+                trustedCerts: ca,
+                ocsps: ocspBaseResponses,
+                crls,
+            });
+            const verifyResult = await chainEngine.verify();
+            if (!verifyResult.result) {
+                return {
+                    isValid: false,
+                    errorMessage: verifyResult.resultMessage,
+                };
+            }
+            /**
+             * When verifying a certificate chain, chainEngine.verify() attempts to find a valid
+             * certification path using the provided certificates. It may ignore certificates that
+             * don't belong to the valid chain.
+             *
+             * This check ensures that all certificates we initially provided were actually used
+             * in the valid certification path that CertificateChainValidationEngine constructed.
+             * If any certificate was ignored/not used, we throw an error.
+             */
+            const isEachCertVerified = sortedCerts.every((cert) => verifyResult.certificatePath?.find((verifiedCert) => verifiedCert.serialNumber.isEqual(cert.serialNumber)));
+            if (!isEachCertVerified) {
+                throw new Error('Some of certificates do not belong to chain');
+            }
+            return {
+                isValid: true,
+            };
+        }
+        catch (err) {
+            return {
+                isValid: false,
+                errorMessage: err.message,
+            };
+        }
+    }
+    static toPkiCerts(certs) {
+        const certsArray = Array.isArray(certs) ? certs : CertificatesHelper.splitPemCerts(certs);
+        return certsArray.map((certPem) => pkijs.Certificate.fromBER(CertificatesHelper.pemToDer(certPem)));
+    }
+    static addKeyIdentifiersToCerts(certs) {
+        return certs.map((cert) => {
+            if ('cert' in cert) {
+                return cert;
+            }
+            const authorityKeyIdentifierExt = cert.extensions?.find((ext) => ext.extnID === forge.pki.oids['authorityKeyIdentifier'])?.parsedValue;
+            const subjectKeyIdentifierExt = cert.extensions?.find((ext) => ext.extnID === forge.pki.oids['subjectKeyIdentifier'])?.parsedValue;
+            return {
+                cert,
+                authorityKeyIdentifier: authorityKeyIdentifierExt?.keyIdentifier,
+                subjectKeyIdentifier: subjectKeyIdentifierExt,
+            };
+        });
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9oZWxwZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxDQUFDLE1BQU0sUUFBUSxDQUFDO0FBQ3ZCLE9BQU8sS0FBSyxNQUFNLE9BQU8sQ0FBQztBQUMxQixPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxLQUFLLEtBQUssTUFBTSxPQUFPLENBQUM7QUFDL0IsT0FBTyxFQUFFLHdCQUF3QixFQUFFLGVBQWUsRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBQzNFLE9BQU8sRUFBRSxpQkFBaUIsRUFBRSxNQUFNLDBCQUEwQixDQUFDO0FBRTdELE9BQU8sRUFBRSxVQUFVLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFDdkMsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLFVBQVUsQ0FBQztBQUNyQyxPQUFPLG1CQUFtQixDQUFDO0FBQzNCLE9BQU8sRUFDTCw2Q0FBNkMsRUFDN0Msd0NBQXdDLEVBQ3hDLGlDQUFpQyxFQUNqQyxvQ0FBb0MsR0FDckMsTUFBTSw0QkFBNEIsQ0FBQztBQUlwQyxNQUFNLGdCQUFnQixHQUFHO0lBQ3ZCLGlDQUFpQztJQUNqQyx3Q0FBd0M7SUFDeEMsb0NBQW9DO0lBQ3BDLDZDQUE2QztDQUM5QyxDQUFDO0FBRUYsTUFBTSxPQUFPLGtCQUFrQjtJQUNyQixNQUFNLENBQUMsMEJBQTBCLEdBQUcsaUJBQWlCLEVBQUUsQ0FBQztJQUVoRSxNQUFNLENBQUMsUUFBUSxDQUFDLElBQWlCLEVBQUUsT0FBZSxhQUFhO1FBQzdELE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUM7WUFDdEIsYUFBYSxFQUFFLElBQUk7WUFDbkIsT0FBTyxFQUFFLElBQUk7WUFDYixPQUFPLEVBQUUsRUFBRTtZQUNYLFFBQVEsRUFBRSxJQUFJO1lBQ2QsSUFBSTtZQUNKLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUM7U0FDM0MsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELE1BQU0sQ0FBQyxRQUFRLENBQUMsT0FBZTtRQUM3QixPQUFPLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsS0FBSyxFQUFFLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDcEUsQ0FBQztJQUVELE1BQU0sQ0FBQyxhQUFhLENBQUMsS0FBYTtRQUNoQyxNQUFNLFFBQVEsR0FBRyxpRUFBaUUsQ0FBQztRQUNuRixPQUFPLEtBQUssQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxNQUFNLENBQUMsU0FBUyxDQUFDLE9BQWU7UUFDOUIsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLEdBQUcsQ0FBQyxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNuRCxPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsU0FBUyxDQUFDLElBQUksS0FBSyxZQUFZLENBQUM7WUFDakYsRUFBRSxLQUFlLENBQUM7SUFDdEIsQ0FBQztJQUVELE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxTQUFxQyxFQUFFLEdBQVc7UUFDekUsTUFBTSxJQUFJLEdBQ1IsT0FBTyxTQUFTLEtBQUssUUFBUTtZQUMzQixDQUFDLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQ25FLENBQUMsQ0FBQyxTQUFTLENBQUM7UUFDaEIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEtBQUssR0FBRyxDQUFDLENBQUM7UUFDckUsT0FBTyxTQUFTLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxDQUFDO0lBQzFFLENBQUM7SUFFRCxNQUFNLENBQUMsa0JBQWtCLENBQUMsUUFBZ0I7UUFDeEMsTUFBTSxLQUFLLEdBQUcsa0JBQWtCLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3RELE1BQU0sVUFBVSxHQUFHLENBQUMsQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO1FBRXBGLE1BQU0sVUFBVSxHQUFHLENBQUMsS0FBMEIsRUFBVSxFQUFFLENBQ3hELEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUV2RixPQUFPO1lBQ0wsS0FBSyxFQUFFLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDaEMsRUFBRSxFQUFFLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7U0FDOUIsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLENBQUMsU0FBUyxDQUNkLGdCQUF3QyxFQUN4Qyw0QkFBc0Q7UUFFdEQsT0FBTyw0QkFBNEIsQ0FBQyxJQUFJLENBQ3RDLENBQUMsZUFBZSxFQUFFLEVBQUUsQ0FDbEIsQ0FBQyxnQkFBZ0IsRUFBRSxzQkFBc0IsSUFBSSxlQUFlLENBQUMsb0JBQW9CO1lBQy9FLENBQUMsQ0FBQyxnQkFBZ0IsQ0FBQyxzQkFBc0IsQ0FBQyxPQUFPLENBQUMsZUFBZSxDQUFDLG9CQUFvQixDQUFDO1lBQ3ZGLENBQUMsQ0FBQyxnQkFBZ0IsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxlQUFlLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1lBQ3hFLENBQUMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUN6RSxDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyxhQUFhLENBQUMsUUFBZ0I7UUFDbkMsTUFBTSxLQUFLLEdBQUcsa0JBQWtCLENBQUMsYUFBYSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRXpELE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUVELE1BQU0sQ0FBQyxhQUFhLENBQUMsUUFBc0I7UUFDekMsT0FBTyxRQUFRO2FBQ1osR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLENBQUM7YUFDaEQsSUFBSSxDQUFDLEVBQUUsQ0FBQzthQUNSLElBQUksRUFBRSxDQUFDO0lBQ1osQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMscUJBQXFCLENBQUMsR0FBVztRQUM1QyxNQUFNLFlBQVksR0FBRyxNQUFNLGtCQUFrQixDQUFDLDBCQUEwQixDQUFDLElBQUksQ0FDM0UsR0FBRyxFQUNILEtBQUssSUFBSSxFQUFFO1lBQ1QsTUFBTSxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxFQUFFO2dCQUNoQyxZQUFZLEVBQUUsYUFBYTthQUM1QixDQUFDLENBQUM7WUFDSCxPQUFPLFFBQVEsRUFBRSxJQUFJLENBQUM7UUFDeEIsQ0FBQyxFQUNEO1lBQ0UsR0FBRyxFQUFFLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxFQUFFLE9BQU87U0FDNUIsQ0FDRixDQUFDO1FBRUYsT0FBTyxZQUFZLENBQUM7SUFDdEIsQ0FBQztJQUVELE1BQU0sQ0FBQyxVQUFVLENBQ2YsSUFBZ0QsRUFDaEQsZ0JBQWdFO1FBRWhFLE1BQU0sS0FBSyxHQUFHLGtCQUFrQixDQUFDLHdCQUF3QixDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUNsRSxNQUFNLGtDQUFrQyxHQUN0QyxrQkFBa0IsQ0FBQyx3QkFBd0IsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBQ2hFLElBQUksV0FBVyxHQUF1QyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFL0QsR0FBRyxDQUFDO1lBQ0YsV0FBVyxHQUFHLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxXQUFXLEVBQUUsa0NBQWtDLENBQUMsQ0FBQztZQUU1RixJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUNoQixLQUFLLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBQzFCLENBQUM7UUFDSCxDQUFDLFFBQVEsV0FBVyxFQUFFO1FBRXRCLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVELE1BQU0sQ0FBQyx1QkFBdUIsQ0FDNUIsUUFBNEU7UUFFNUUsTUFBTSxRQUFRLEdBQ1osT0FBTyxRQUFRLEtBQUssUUFBUSxJQUFJLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLE9BQU8sSUFBSSxLQUFLLFFBQVEsQ0FBQztZQUNoRixDQUFDLENBQUMsa0JBQWtCLENBQUMsVUFBVSxDQUFDLFFBQTZCLENBQUM7WUFDOUQsQ0FBQyxDQUFFLFFBQWdDLENBQUM7UUFFeEMsTUFBTSx1QkFBdUIsR0FBRyxrQkFBa0IsQ0FBQyx3QkFBd0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUV0RixNQUFNLEtBQUssR0FBRyx1QkFBdUIsQ0FBQyxNQUFNLENBQzFDLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FDZCxDQUFDLHVCQUF1QixDQUFDLElBQUksQ0FBQyxDQUFDLGdCQUFnQixFQUFFLEVBQUUsQ0FDakQsV0FBVyxDQUFDLG9CQUFvQixJQUFJLGdCQUFnQixDQUFDLHNCQUFzQjtZQUN6RSxDQUFDLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQyxzQkFBc0IsQ0FBQztZQUNuRixDQUFDLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FDbkUsQ0FDSixDQUFDO1FBRUYsTUFBTSxNQUFNLEdBQUcsS0FBSzthQUNqQixHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxDQUFDO2FBQ2pFLElBQUksQ0FBQyxDQUFDLEdBQUcsRUFBRSxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQy9DLE9BQU8sTUFBTSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3ZCLENBQUM7SUFFRCxNQUFNLENBQUMseUJBQXlCLENBQUMsT0FBZTtRQUM5QyxNQUFNLElBQUksR0FBRyxJQUFJLGVBQWUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMxQyxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDO1FBQ2pDLE9BQU8sU0FBUyxDQUFDLFNBQXlCLENBQUM7SUFDN0MsQ0FBQztJQUVELE1BQU0sQ0FBQyx3QkFBd0IsQ0FBQyxNQUFjO1FBQzVDLE1BQU0sR0FBRyxHQUFHLElBQUksd0JBQXdCLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDakQsTUFBTSxTQUFTLEdBQUcsR0FBRyxDQUFDLFNBQVMsQ0FBQztRQUNoQyxPQUFPLFNBQVMsQ0FBQyxTQUF5QixDQUFDO0lBQzdDLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLGlCQUFpQixDQUM1QixRQUEyQixFQUMzQixLQUF3QixFQUN4QixVQUFpQyxFQUFFO1FBRW5DLE1BQU0sRUFBRSxPQUFPLEVBQUUsR0FBRyxPQUFPLENBQUM7UUFFNUIseUZBQXlGO1FBQ3pGLE1BQU0sdUJBQXVCLEdBQUcsa0JBQWtCLENBQUMsdUJBQXVCLENBQUMsUUFBUSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDL0YsTUFBTSxXQUFXLEdBQUcsdUJBQXVCLENBQUMsR0FBRyxDQUFDLENBQUMsZ0JBQWdCLEVBQUUsRUFBRSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQzdGLE1BQU0sRUFBRSxHQUFHLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUVoRCxJQUFJLENBQUM7WUFDSCxNQUFNLElBQUksR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxTQUFTLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBQ3pFLE1BQU0saUJBQWlCLEdBQUcsT0FBTztnQkFDL0IsQ0FBQyxDQUFDLEVBQUU7Z0JBQ0osQ0FBQyxDQUFDLE1BQU0sVUFBVSxDQUFDLHdCQUF3QixDQUN2Qyx1QkFBdUIsRUFDdkIsa0JBQWtCLENBQUMsd0JBQXdCLENBQUMsRUFBRSxDQUFDLEVBQy9DLGdCQUFnQixDQUNqQixDQUFDO1lBRU4sTUFBTSxXQUFXLEdBQUcsSUFBSSxLQUFLLENBQUMsZ0NBQWdDLENBQUM7Z0JBQzdELEtBQUssRUFBRSxXQUFXO2dCQUNsQixZQUFZLEVBQUUsRUFBRTtnQkFDaEIsS0FBSyxFQUFFLGlCQUFpQjtnQkFDeEIsSUFBSTthQUNMLENBQUMsQ0FBQztZQUVILE1BQU0sWUFBWSxHQUFHLE1BQU0sV0FBVyxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2hELElBQUksQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFLENBQUM7Z0JBQ3pCLE9BQU87b0JBQ0wsT0FBTyxFQUFFLEtBQUs7b0JBQ2QsWUFBWSxFQUFFLFlBQVksQ0FBQyxhQUFhO2lCQUN6QyxDQUFDO1lBQ0osQ0FBQztZQUVEOzs7Ozs7OztlQVFHO1lBQ0gsTUFBTSxrQkFBa0IsR0FBRyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FDcEQsWUFBWSxDQUFDLGVBQWUsRUFBRSxJQUFJLENBQUMsQ0FBQyxZQUFZLEVBQUUsRUFBRSxDQUNsRCxZQUFZLENBQUMsWUFBWSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQ3JELENBQ0YsQ0FBQztZQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO2dCQUN4QixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7WUFDakUsQ0FBQztZQUVELE9BQU87Z0JBQ0wsT0FBTyxFQUFFLElBQUk7YUFDZCxDQUFDO1FBQ0osQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLFlBQVksRUFBRyxHQUFhLENBQUMsT0FBTzthQUNyQyxDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFRCxNQUFNLENBQUMsVUFBVSxDQUFDLEtBQXdCO1FBQ3hDLE1BQU0sVUFBVSxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsa0JBQWtCLENBQUMsYUFBYSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQzFGLE9BQU8sVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQ2hDLEtBQUssQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUNoRSxDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyx3QkFBd0IsQ0FDN0IsS0FBd0Q7UUFFeEQsT0FBTyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUU7WUFDeEIsSUFBSSxNQUFNLElBQUksSUFBSSxFQUFFLENBQUM7Z0JBQ25CLE9BQU8sSUFBOEIsQ0FBQztZQUN4QyxDQUFDO1lBRUQsTUFBTSx5QkFBeUIsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksQ0FDckQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEtBQUssS0FBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsd0JBQXdCLENBQUMsQ0FDakUsRUFBRSxXQUFpRCxDQUFDO1lBRXJELE1BQU0sdUJBQXVCLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQ25ELENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLHNCQUFzQixDQUFDLENBQy9ELEVBQUUsV0FBc0MsQ0FBQztZQUUxQyxPQUFPO2dCQUNMLElBQUk7Z0JBQ0osc0JBQXNCLEVBQUUseUJBQXlCLEVBQUUsYUFBYTtnQkFDaEUsb0JBQW9CLEVBQUUsdUJBQXVCO2FBQzlDLENBQUM7UUFDSixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUMifQ==

package/dist/mjs/certificates/index.d.ts

@@ -0,0 +1,5 @@
+export * from './helper.js';
+export * from './types.js';
+export * from './serializer.js';
+export * from './generator.js';
+export * from './ocsp.js';

package/dist/mjs/certificates/index.js

@@ -0,0 +1,6 @@
+export * from './helper.js';
+export * from './types.js';
+export * from './serializer.js';
+export * from './generator.js';
+export * from './ocsp.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsYUFBYSxDQUFDO0FBQzVCLGNBQWMsWUFBWSxDQUFDO0FBQzNCLGNBQWMsaUJBQWlCLENBQUM7QUFDaEMsY0FBYyxnQkFBZ0IsQ0FBQztBQUMvQixjQUFjLFdBQVcsQ0FBQyJ9

package/dist/mjs/certificates/ocsp.d.ts

@@ -0,0 +1,14 @@
+import * as pkijs from 'pkijs';
+import { CertWithKeyIdentifiers, GenerateOcspResponseParams, ParsedOcspRequest } from '../index.js';
+export declare class OCSPHelper {
+    static getOCSPResponseFromCerts(certs: CertWithKeyIdentifiers[], ca: CertWithKeyIdentifiers[], oidsToCheck?: string[]): Promise<pkijs.BasicOCSPResponse[]>;
+    static generateOCSPResponse(params: GenerateOcspResponseParams): Promise<ArrayBuffer>;
+    static parseOCSPRequest(ocspRequestBinary: ArrayBuffer): ParsedOcspRequest;
+    private static canCertSignOCSPResponse;
+    private static getOCSPRequestData;
+    private static getOCSPResponse;
+    private static sendOCSPRequest;
+    private static getNonceForRequest;
+    private static getNonceFromResponse;
+    private static getCertExtensionsToCheck;
+}