@zetra/citrineos-util 1.8.3-fork.1

package/dist/certificate/CertificateUtil.js

@@ -0,0 +1,317 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import * as pkijs from 'pkijs';
+import { CertificationRequest } from 'pkijs';
+import * as asn1js from 'asn1js';
+import { fromBER } from 'asn1js';
+import { Certificate, CountryNameEnumType, SignatureAlgorithmEnumType } from '@citrineos/data';
+import jsrsasign from 'jsrsasign';
+import { fromBase64, stringToArrayBuffer } from 'pvutils';
+import moment from 'moment';
+import { Logger } from 'tslog';
+var KJUR = jsrsasign.KJUR;
+var OCSPRequest = jsrsasign.KJUR.asn1.ocsp.OCSPRequest;
+var Request = jsrsasign.KJUR.asn1.ocsp.Request;
+var X509 = jsrsasign.X509;
+var KEYUTIL = jsrsasign.KEYUTIL;
+export const dateTimeFormat = 'YYMMDDHHmmssZ';
+export function getValidityTimeString(time) {
+    return time.utc().format('YYMMDDHHmmss').concat('Z');
+}
+export function createPemBlock(content) {
+    return `-----BEGIN CERTIFICATE-----\n${content}\n-----END CERTIFICATE-----\n`;
+}
+/*
+ * Parse the certificate chain and extract certificates
+ * @param pem - certificate chain pem containing multiple certificate blocks
+ * @return array of certificate pem blocks
+ */
+export function parseCertificateChainPem(pem) {
+    const certs = [];
+    pem
+        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+        ?.forEach((certPem) => certs.push(certPem));
+    return certs;
+}
+/**
+ * Decode the pem and extract certificates
+ * @param pem - base64 encoded certificate chain string without header and footer
+ * @return array of pkijs.CertificateSetItem
+ */
+export function extractCertificateArrayFromEncodedString(pem) {
+    try {
+        const cmsSignedBuffer = Buffer.from(pem, 'base64');
+        const asn1 = asn1js.fromBER(cmsSignedBuffer);
+        const cmsContent = new pkijs.ContentInfo({ schema: asn1.result });
+        const cmsSigned = new pkijs.SignedData({ schema: cmsContent.content });
+        if (cmsSigned.certificates && cmsSigned.certificates.length > 0) {
+            return cmsSigned.certificates;
+        }
+        else {
+            return [];
+        }
+    }
+    catch (e) {
+        throw new Error(`Failed to extract certificate ${pem} due to ${e}`);
+    }
+}
+/**
+ * extracts the base64-encoded content from a pem encoded csr
+ * @param csrPem
+ * @private
+ * @return {string} The parsed CSR or the original CSR if it cannot be parsed
+ */
+export function extractEncodedContentFromCSR(csrPem) {
+    return csrPem
+        .replace(/-----BEGIN CERTIFICATE REQUEST-----/, '')
+        .replace(/-----END CERTIFICATE REQUEST-----/, '')
+        .replace(/\n/g, '');
+}
+/**
+ * Generate certificate and its private key
+ *
+ * @param certificateEntity - the certificate
+ * @param logger - the logger
+ * @param issuerKeyPem - the issuer private key
+ * @param issuerCertPem - the issuer certificate
+ *
+ * @return generated certificate pem and its private key pem
+ */
+export function generateCertificate(certificateEntity, logger, issuerKeyPem, issuerCertPem) {
+    // Generate a key pair
+    let keyPair;
+    logger.debug(`Private key signAlgorithm: ${certificateEntity.signatureAlgorithm}`);
+    if (certificateEntity.signatureAlgorithm === SignatureAlgorithmEnumType.RSA) {
+        keyPair = jsrsasign.KEYUTIL.generateKeypair('RSA', certificateEntity.keyLength ? certificateEntity.keyLength : 2048);
+    }
+    else {
+        keyPair = jsrsasign.KEYUTIL.generateKeypair('EC', 'secp256r1');
+    }
+    const privateKeyPem = jsrsasign.KEYUTIL.getPEM(keyPair.prvKeyObj, 'PKCS8PRV');
+    const publicKeyPem = jsrsasign.KEYUTIL.getPEM(keyPair.pubKeyObj);
+    logger.debug(`Created publicKeyPem: ${publicKeyPem}`);
+    let issuerCertObj;
+    if (issuerCertPem) {
+        issuerCertObj = new X509();
+        issuerCertObj.readCertPEM(issuerCertPem);
+    }
+    // Prepare certificate attributes
+    let subjectNotAfter = certificateEntity.validBefore
+        ? moment(certificateEntity.validBefore)
+        : moment().add(1, 'year');
+    const subjectString = `/CN=${certificateEntity.commonName}/O=${certificateEntity.organizationName}/C=${certificateEntity.countryName}`;
+    let issuerParam = { str: subjectString };
+    if (issuerCertObj) {
+        const issuerNotAfter = moment(issuerCertObj.getNotAfter(), dateTimeFormat);
+        if (subjectNotAfter.isAfter(issuerNotAfter)) {
+            subjectNotAfter = issuerNotAfter;
+        }
+        issuerParam = { str: issuerCertObj.getSubjectString() };
+    }
+    // Prepare certificate extensions
+    const keyUsages = ['digitalSignature', 'keyCertSign', 'crlSign'];
+    if (!certificateEntity.isCA) {
+        keyUsages.push('keyEncipherment');
+    }
+    let basicConstraints = {
+        extname: 'basicConstraints',
+        critical: true,
+        cA: certificateEntity.isCA,
+    };
+    if (certificateEntity.pathLen) {
+        basicConstraints = {
+            extname: 'basicConstraints',
+            cA: certificateEntity.isCA,
+            pathLen: certificateEntity.pathLen,
+        };
+    }
+    const extensions = [
+        basicConstraints,
+        { extname: 'keyUsage', critical: true, names: keyUsages },
+        { extname: 'subjectKeyIdentifier', kid: publicKeyPem },
+    ];
+    if (issuerCertObj) {
+        extensions.push({
+            extname: 'authorityKeyIdentifier',
+            kid: issuerCertPem,
+            isscert: issuerCertPem,
+        });
+    }
+    // Prepare certificate sign parameters
+    const signAlgorithm = certificateEntity.signatureAlgorithm === SignatureAlgorithmEnumType.RSA
+        ? SignatureAlgorithmEnumType.RSA
+        : SignatureAlgorithmEnumType.ECDSA;
+    logger.debug(`Certificate SignAlgorithm: ${signAlgorithm}`);
+    const caKey = issuerKeyPem ? issuerKeyPem : privateKeyPem;
+    // Generate certificate
+    const certificate = new KJUR.asn1.x509.Certificate({
+        version: 3,
+        serial: { int: moment().valueOf() },
+        notbefore: getValidityTimeString(moment()),
+        notafter: getValidityTimeString(subjectNotAfter),
+        issuer: issuerParam,
+        subject: { str: subjectString },
+        sbjpubkey: keyPair.pubKeyObj,
+        ext: extensions,
+        sigalg: signAlgorithm,
+        cakey: caKey,
+    });
+    return [certificate.getPEM(), privateKeyPem];
+}
+/**
+ * Create a signed certificate for the provided CSR using the issuer certificate, and its private key.
+ *
+ * @param csrPem - The CSR that need to be signed.
+ * @param issuerCertPem - The issuer certificate.
+ * @param issuerPrivateKeyPem - The issuer private key.
+ * @return {KJUR.asn1.x509.Certificate} The signed certificate.
+ */
+export function createSignedCertificateFromCSR(csrPem, issuerCertPem, issuerPrivateKeyPem) {
+    const csrObj = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csrPem);
+    const issuerCertObj = new X509();
+    issuerCertObj.readCertPEM(issuerCertPem);
+    let subjectNotAfter = moment().add(1, 'year');
+    const issuerNotAfter = moment(issuerCertObj.getNotAfter(), dateTimeFormat);
+    if (subjectNotAfter.isAfter(issuerNotAfter)) {
+        subjectNotAfter = issuerNotAfter;
+    }
+    let extensions;
+    if (csrObj.extreq) {
+        extensions = csrObj.extreq;
+    }
+    else {
+        extensions = [
+            { extname: 'basicConstraints', cA: false },
+            {
+                extname: 'keyUsage',
+                critical: true,
+                names: ['digitalSignature', 'keyEncipherment'],
+            },
+        ];
+    }
+    extensions.push({ extname: 'subjectKeyIdentifier', kid: csrObj.sbjpubkey });
+    extensions.push({
+        extname: 'authorityKeyIdentifier',
+        kid: issuerCertPem,
+        isscert: issuerCertPem,
+    });
+    return new KJUR.asn1.x509.Certificate({
+        version: 3,
+        serial: { int: moment().valueOf() },
+        issuer: { str: issuerCertObj.getSubjectString() },
+        subject: { str: csrObj.subject.str },
+        notbefore: getValidityTimeString(moment()),
+        notafter: getValidityTimeString(subjectNotAfter),
+        sbjpubkey: csrObj.sbjpubkey,
+        ext: extensions,
+        sigalg: csrObj.sigalg,
+        cakey: issuerPrivateKeyPem,
+    });
+}
+export async function sendOCSPRequest(ocspRequest, responderURL) {
+    const response = await fetch(responderURL, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/ocsp-request',
+            Accept: 'application/ocsp-response',
+        },
+        body: ocspRequest.getEncodedHex(),
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to fetch OCSP response from ${responderURL}: ${response.status} with error: ${await response.text()}`);
+    }
+    return await response.text();
+}
+export function parseCSRForVerification(csrPem) {
+    const certificateBuffer = stringToArrayBuffer(fromBase64(extractEncodedContentFromCSR(csrPem)));
+    const asn1 = fromBER(certificateBuffer);
+    return new CertificationRequest({ schema: asn1.result });
+}
+export function generateCSR(certificate) {
+    let keyPair;
+    if (certificate.signatureAlgorithm === SignatureAlgorithmEnumType.RSA) {
+        keyPair = KEYUTIL.generateKeypair('RSA', certificate.keyLength ? certificate.keyLength : 2048);
+    }
+    else {
+        keyPair = KEYUTIL.generateKeypair('EC', 'secp256r1');
+    }
+    const privateKeyPem = jsrsasign.KEYUTIL.getPEM(keyPair.prvKeyObj, 'PKCS8PRV');
+    const publicKeyPem = jsrsasign.KEYUTIL.getPEM(keyPair.pubKeyObj);
+    let basicConstraintParam;
+    if (certificate.pathLen) {
+        basicConstraintParam = {
+            cA: certificate.isCA,
+            pathLen: certificate.pathLen,
+        };
+    }
+    else {
+        basicConstraintParam = { cA: certificate.isCA };
+    }
+    const csr = new KJUR.asn1.csr.CertificationRequest({
+        subject: {
+            str: `/CN=${certificate.commonName}/O=${certificate.organizationName}/C=${certificate.countryName}`,
+        },
+        sbjpubkey: publicKeyPem,
+        extreq: [
+            { extname: 'basicConstraints', array: [basicConstraintParam] },
+            {
+                extname: 'keyUsage',
+                array: [
+                    {
+                        names: ['digitalSignature', 'keyEncipherment', 'keyCertSign', 'crlSign'],
+                    },
+                ],
+            },
+        ],
+        sigalg: certificate.signatureAlgorithm
+            ? certificate.signatureAlgorithm
+            : SignatureAlgorithmEnumType.ECDSA,
+        sbjprvkey: privateKeyPem,
+    });
+    return [csr.getPEM(), privateKeyPem];
+}
+export const parseX509Date = (date) => {
+    if (/^\d{14}Z$/.test(date)) {
+        // GeneralizedTime: YYYYMMDDHHMMSSZ
+        return moment.utc(date, 'YYYYMMDDHHmmss[Z]', true).toDate();
+    }
+    else if (/^\d{12}Z$/.test(date)) {
+        // UTCTime: YYMMDDHHMMSSZ (YY interpreted as 1950-2049)
+        return moment.utc(date, 'YYMMDDHHmmss[Z]', true).toDate();
+    }
+    else {
+        console.error(`Invalid X.509 date format: ${date}`);
+        return null;
+    }
+};
+export const extractCertificateDetails = (pemString) => {
+    try {
+        const cert = new jsrsasign.X509();
+        cert.readCertPEM(pemString);
+        // Extract details
+        const serialNumber = parseInt(cert.getSerialNumberHex());
+        const issuerName = cert.getIssuerString();
+        const organizationName = cert.getSubjectString().match(/\/O=([^/]+)/)?.[1] || null;
+        const commonName = cert.getSubjectString().match(/\/CN=([^/]+)/)?.[1] || null;
+        const countryName = (cert.getSubjectString().match(/\/C=([^/]+)/)?.[1] ||
+            null);
+        const notAfter = cert.getNotAfter();
+        const validBefore = parseX509Date(notAfter);
+        const signatureAlgorithm = cert.getSignatureAlgorithmField();
+        return {
+            serialNumber,
+            issuerName,
+            organizationName,
+            commonName,
+            countryName,
+            validBefore,
+            signatureAlgorithm,
+        };
+    }
+    catch (error) {
+        console.error('Error extracting certificate details:', error);
+        throw new Error('Invalid PEM format or unsupported certificate');
+    }
+};
+//# sourceMappingURL=CertificateUtil.js.map

package/dist/certificate/CertificateUtil.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CertificateUtil.js","sourceRoot":"","sources":["../../src/certificate/CertificateUtil.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAEtC,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,oBAAoB,EAAE,MAAM,OAAO,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAC/F,OAAO,SAAS,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,IAAO,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;AAC7B,IAAO,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;AAC1D,IAAO,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;AAClD,IAAO,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;AAC7B,IAAO,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC;AAEnC,MAAM,CAAC,MAAM,cAAc,GAAG,eAAe,CAAC;AAE9C,MAAM,UAAU,qBAAqB,CAAC,IAAmB;IACvD,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,OAAO,gCAAgC,OAAO,+BAA+B,CAAC;AAChF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,GAAG;SACA,KAAK,CAAC,+DAA+D,CAAC;QACvE,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wCAAwC,CAAC,GAAW;IAClE,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,IAAI,KAAK,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,IAAI,SAAS,CAAC,YAAY,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChE,OAAO,SAAS,CAAC,YAAY,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,4BAA4B,CAAC,MAAc;IACzD,OAAO,MAAM;SACV,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC;SAClD,OAAO,CAAC,mCAAmC,EAAE,EAAE,CAAC;SAChD,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CACjC,iBAA8B,EAC9B,MAAuB,EACvB,YAAqB,EACrB,aAAsB;IAEtB,sBAAsB;IACtB,IAAI,OAAO,CAAC;IACZ,MAAM,CAAC,KAAK,CAAC,8BAA8B,iBAAiB,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACnF,IAAI,iBAAiB,CAAC,kBAAkB,KAAK,0BAA0B,CAAC,GAAG,EAAE,CAAC;QAC5E,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,eAAe,CACzC,KAAK,EACL,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CACjE,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC9E,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,CAAC,KAAK,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;IAEtD,IAAI,aAA+B,CAAC;IACpC,IAAI,aAAa,EAAE,CAAC;QAClB,aAAa,GAAG,IAAI,IAAI,EAAE,CAAC;QAC3B,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAC3C,CAAC;IAED,iCAAiC;IACjC,IAAI,eAAe,GAAG,iBAAiB,CAAC,WAAW;QACjD,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,WAAW,CAAC;QACvC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC5B,MAAM,aAAa,GAAG,OAAO,iBAAiB,CAAC,UAAU,MAAM,iBAAiB,CAAC,gBAAgB,MAAM,iBAAiB,CAAC,WAAW,EAAE,CAAC;IACvI,IAAI,WAAW,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC;IACzC,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,cAAc,GAAG,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,EAAE,cAAc,CAAC,CAAC;QAC3E,IAAI,eAAe,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC5C,eAAe,GAAG,cAAc,CAAC;QACnC,CAAC;QACD,WAAW,GAAG,EAAE,GAAG,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE,CAAC;IAC1D,CAAC;IAED,iCAAiC;IACjC,MAAM,SAAS,GAAG,CAAC,kBAAkB,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;IACjE,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC5B,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpC,CAAC;IACD,IAAI,gBAAgB,GAAQ;QAC1B,OAAO,EAAE,kBAAkB;QAC3B,QAAQ,EAAE,IAAI;QACd,EAAE,EAAE,iBAAiB,CAAC,IAAI;KAC3B,CAAC;IACF,IAAI,iBAAiB,CAAC,OAAO,EAAE,CAAC;QAC9B,gBAAgB,GAAG;YACjB,OAAO,EAAE,kBAAkB;YAC3B,EAAE,EAAE,iBAAiB,CAAC,IAAI;YAC1B,OAAO,EAAE,iBAAiB,CAAC,OAAO;SACnC,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG;QACjB,gBAAgB;QAChB,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE;QACzD,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,EAAE,YAAY,EAAE;KACvD,CAAC;IACF,IAAI,aAAa,EAAE,CAAC;QAClB,UAAU,CAAC,IAAI,CAAC;YACd,OAAO,EAAE,wBAAwB;YACjC,GAAG,EAAE,aAAa;YAClB,OAAO,EAAE,aAAa;SACvB,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,aAAa,GACjB,iBAAiB,CAAC,kBAAkB,KAAK,0BAA0B,CAAC,GAAG;QACrE,CAAC,CAAC,0BAA0B,CAAC,GAAG;QAChC,CAAC,CAAC,0BAA0B,CAAC,KAAK,CAAC;IACvC,MAAM,CAAC,KAAK,CAAC,8BAA8B,aAAa,EAAE,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC;IAE1D,uBAAuB;IACvB,MAAM,WAAW,GAA+B,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;QAC7E,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE;QACnC,SAAS,EAAE,qBAAqB,CAAC,MAAM,EAAE,CAAC;QAC1C,QAAQ,EAAE,qBAAqB,CAAC,eAAe,CAAC;QAChD,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE;QAC/B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,GAAG,EAAE,UAAU;QACf,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,KAAK;KACb,CAAC,CAAC;IAEH,OAAO,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAAc,EACd,aAAqB,EACrB,mBAA2B;IAE3B,MAAM,MAAM,GAAgC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC7F,MAAM,aAAa,GAAG,IAAI,IAAI,EAAE,CAAC;IACjC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAEzC,IAAI,eAAe,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,cAAc,GAAG,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,EAAE,cAAc,CAAC,CAAC;IAC3E,IAAI,eAAe,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5C,eAAe,GAAG,cAAc,CAAC;IACnC,CAAC;IAED,IAAI,UAAiB,CAAC;IACtB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,UAAU,GAAG;YACX,EAAE,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,KAAK,EAAE;YAC1C;gBACE,OAAO,EAAE,UAAU;gBACnB,QAAQ,EAAE,IAAI;gBACd,KAAK,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,CAAC;aAC/C;SACF,CAAC;IACJ,CAAC;IACD,UAAU,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC5E,UAAU,CAAC,IAAI,CAAC;QACd,OAAO,EAAE,wBAAwB;QACjC,GAAG,EAAE,aAAa;QAClB,OAAO,EAAE,aAAa;KACvB,CAAC,CAAC;IAEH,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;QACpC,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE;QACnC,MAAM,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,gBAAgB,EAAE,EAAE;QACjD,OAAO,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE;QACpC,SAAS,EAAE,qBAAqB,CAAC,MAAM,EAAE,CAAC;QAC1C,QAAQ,EAAE,qBAAqB,CAAC,eAAe,CAAC;QAChD,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,GAAG,EAAE,UAAU;QACf,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,mBAAmB;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,WAAkC,EAClC,YAAoB;IAEpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,MAAM,EAAE,2BAA2B;SACpC;QACD,IAAI,EAAE,WAAW,CAAC,aAAa,EAAE;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,sCAAsC,YAAY,KAAK,QAAQ,CAAC,MAAM,gBAAgB,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAC9G,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,UAAU,CAAC,4BAA4B,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAChG,MAAM,IAAI,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACxC,OAAO,IAAI,oBAAoB,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,WAAwB;IAClD,IAAI,OAAO,CAAC;IACZ,IAAI,WAAW,CAAC,kBAAkB,KAAK,0BAA0B,CAAC,GAAG,EAAE,CAAC;QACtE,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACjG,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC9E,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEjE,IAAI,oBAAyB,CAAC;IAC9B,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,oBAAoB,GAAG;YACrB,EAAE,EAAE,WAAW,CAAC,IAAI;YACpB,OAAO,EAAE,WAAW,CAAC,OAAO;SAC7B,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,oBAAoB,GAAG,EAAE,EAAE,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACjD,OAAO,EAAE;YACP,GAAG,EAAE,OAAO,WAAW,CAAC,UAAU,MAAM,WAAW,CAAC,gBAAgB,MAAM,WAAW,CAAC,WAAW,EAAE;SACpG;QACD,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE;YACN,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,oBAAoB,CAAC,EAAE;YAC9D;gBACE,OAAO,EAAE,UAAU;gBACnB,KAAK,EAAE;oBACL;wBACE,KAAK,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,aAAa,EAAE,SAAS,CAAC;qBACzE;iBACF;aACF;SACF;QACD,MAAM,EAAE,WAAW,CAAC,kBAAkB;YACpC,CAAC,CAAC,WAAW,CAAC,kBAAkB;YAChC,CAAC,CAAC,0BAA0B,CAAC,KAAK;QACpC,SAAS,EAAE,aAAa;KACzB,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAe,EAAE;IACzD,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,mCAAmC;QACnC,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;IAC9D,CAAC;SAAM,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,uDAAuD;QACvD,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,8BAA8B,IAAI,EAAE,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,SAAiB,EASjB,EAAE;IACF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QAE5B,kBAAkB;QAClB,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QAC1C,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QACnF,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC9E,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC;YACpE,IAAI,CAA+B,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,WAAW,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,kBAAkB,GAAG,IAAI,CAAC,0BAA0B,EAAgC,CAAC;QAE3F,OAAO;YACL,YAAY;YACZ,UAAU;YACV,gBAAgB;YAChB,UAAU;YACV,WAAW;YACX,WAAW;YACX,kBAAkB;SACnB,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;AACH,CAAC,CAAC"}

package/dist/certificate/client/acme.d.ts

@@ -0,0 +1,37 @@
+import type { IChargingStationCertificateAuthorityClient } from './interface.js';
+import type { SystemConfig } from '@citrineos/base';
+import { Client } from 'acme-client';
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+export declare class Acme implements IChargingStationCertificateAuthorityClient {
+    private readonly _directoryUrl;
+    private readonly _email;
+    private readonly _preferredChain;
+    private _securityCertChainKeyMap;
+    private _client;
+    private _logger;
+    constructor(config: SystemConfig, logger?: Logger<ILogObj>, client?: Client);
+    /**
+     * Get LetsEncrypt Root CA certificate, ISRG Root X1.
+     * @return {Promise<string>} The CA certificate pem.
+     */
+    getRootCACertificate(): Promise<string>;
+    /**
+     * Retrieves a signed certificate based on the provided CSR.
+     * The returned certificate will be signed by Let's Encrypt, ISRG Root X1.
+     * which is listed in https://ccadb.my.salesforce-sites.com/mozilla/CAAIdentifiersReport
+     *
+     * @param {string} csrString - The certificate signing request.
+     * @return {Promise<string>} The signed certificate.
+     */
+    signCertificateByExternalCA(csrString: string): Promise<string>;
+    /**
+     * Get sub CA from the certificate chain.
+     * Use it to sign certificate based on the CSR string.
+     *
+     * @param {string} csrString - The Certificate Signing Request (CSR) string.
+     * @return {Promise<string>} - The signed certificate followed by sub CA in PEM format.
+     */
+    getCertificateChain(csrString: string): Promise<string>;
+    updateCertificateChainKeyMap(serverId: string, certificateChain: string, privateKey: string): void;
+}

package/dist/certificate/client/acme.js

@@ -0,0 +1,138 @@
+// SPDX-FileCopyrightText: 2025 Contributors to the CitrineOS Project
+//
+// SPDX-License-Identifier: Apache-2.0
+import * as acme from 'acme-client';
+import { Client } from 'acme-client';
+import { Logger } from 'tslog';
+import fs from 'fs';
+import { createSignedCertificateFromCSR, parseCertificateChainPem } from '../CertificateUtil.js';
+export class Acme {
+    _directoryUrl = acme.directory.letsencrypt.staging;
+    _email;
+    _preferredChain = {
+        name: 'ISRG Root X1',
+        file: 'isrgrootx1',
+    };
+    // Key: serverId, Value: [cert chain, sub ca private key]
+    _securityCertChainKeyMap = new Map();
+    _client;
+    _logger;
+    constructor(config, logger, client) {
+        this._logger = logger
+            ? logger.getSubLogger({ name: this.constructor.name })
+            : new Logger({ name: this.constructor.name });
+        config.util.networkConnection.websocketServers.forEach((server) => {
+            if (server.securityProfile === 3) {
+                try {
+                    this._securityCertChainKeyMap.set(server.id, [
+                        fs.readFileSync(server.tlsCertificateChainFilePath, 'utf8'),
+                        fs.readFileSync(server.mtlsCertificateAuthorityKeyFilePath, 'utf8'),
+                    ]);
+                }
+                catch (error) {
+                    this._logger.error('Unable to start Certificates module due to invalid security certificates for {}: {}', server, error);
+                    throw error;
+                }
+            }
+        });
+        this._email = config.util.certificateAuthority.chargingStationCA.acme?.email;
+        const accountKey = fs.readFileSync(config.util.certificateAuthority.chargingStationCA?.acme?.accountKeyFilePath);
+        const acmeEnv = config.util.certificateAuthority.chargingStationCA?.acme?.env;
+        if (acmeEnv === 'production') {
+            this._directoryUrl = acme.directory.letsencrypt.production;
+        }
+        this._client =
+            client ||
+                new acme.Client({
+                    directoryUrl: this._directoryUrl,
+                    accountKey: accountKey.toString(),
+                });
+    }
+    /**
+     * Get LetsEncrypt Root CA certificate, ISRG Root X1.
+     * @return {Promise<string>} The CA certificate pem.
+     */
+    async getRootCACertificate() {
+        const response = await fetch(`https://letsencrypt.org/certs/${this._preferredChain.file}.pem`);
+        if (!response.ok && response.status !== 304) {
+            throw new Error(`Failed to fetch certificate: ${response.status}: ${await response.text()}`);
+        }
+        return await response.text();
+    }
+    /**
+     * Retrieves a signed certificate based on the provided CSR.
+     * The returned certificate will be signed by Let's Encrypt, ISRG Root X1.
+     * which is listed in https://ccadb.my.salesforce-sites.com/mozilla/CAAIdentifiersReport
+     *
+     * @param {string} csrString - The certificate signing request.
+     * @return {Promise<string>} The signed certificate.
+     */
+    async signCertificateByExternalCA(csrString) {
+        const folderPath = '/usr/local/apps/citrineos/Server/src/assets/.well-known/acme-challenge';
+        const cert = await this._client?.auto({
+            csr: csrString,
+            email: this._email,
+            termsOfServiceAgreed: true,
+            preferredChain: this._preferredChain.name,
+            challengePriority: ['http-01'],
+            skipChallengeVerification: true,
+            challengeCreateFn: async (authz, challenge, keyAuthorization) => {
+                this._logger.debug('Triggered challengeCreateFn()');
+                const filePath = `${folderPath}/${challenge.token}`;
+                if (!fs.existsSync(folderPath)) {
+                    fs.mkdirSync(folderPath, { recursive: true });
+                    this._logger.debug(`Directory created: ${folderPath}`);
+                }
+                else {
+                    this._logger.debug(`Directory already exists: ${folderPath}`);
+                }
+                const fileContents = keyAuthorization;
+                this._logger.debug(`Creating challenge response ${fileContents} for ${authz.identifier.value} at path: ${filePath}`);
+                fs.writeFileSync(filePath, fileContents);
+            },
+            challengeRemoveFn: async (_authz, _challenge, _keyAuthorization) => {
+                this._logger.debug(`Triggered challengeRemoveFn(). Would remove "${folderPath}`);
+                fs.rmSync(folderPath, { recursive: true, force: true });
+            },
+        });
+        if (!cert) {
+            throw new Error('Failed to get signed certificate');
+        }
+        this._logger.debug(`Certificate singed by external CA: ${cert}`);
+        return cert;
+    }
+    /**
+     * Get sub CA from the certificate chain.
+     * Use it to sign certificate based on the CSR string.
+     *
+     * @param {string} csrString - The Certificate Signing Request (CSR) string.
+     * @return {Promise<string>} - The signed certificate followed by sub CA in PEM format.
+     */
+    async getCertificateChain(csrString) {
+        const nextEntry = this._securityCertChainKeyMap.entries().next().value;
+        if (!nextEntry) {
+            throw new Error('Failed to get certificate chain, securityCertChainKeyMap is empty');
+        }
+        const [serverId, [certChain, subCAPrivateKey]] = nextEntry;
+        this._logger.debug(`Found certificate chain in server ${serverId}: ${certChain}`);
+        const certChainArray = parseCertificateChainPem(certChain);
+        if (certChainArray.length < 2) {
+            throw new Error(`The size of the chain is ${certChainArray.length}. Sub CA certificate for signing not found`);
+        }
+        this._logger.info(`Found Sub CA certificate: ${certChainArray[1]}`);
+        const signedCertPem = createSignedCertificateFromCSR(csrString, certChainArray[1], subCAPrivateKey).getPEM();
+        // Generate and return certificate chain for signed certificate
+        certChainArray[0] = signedCertPem.replace(/\n+$/, '');
+        return certChainArray.join('\n');
+    }
+    updateCertificateChainKeyMap(serverId, certificateChain, privateKey) {
+        if (this._securityCertChainKeyMap.has(serverId)) {
+            this._securityCertChainKeyMap.set(serverId, [certificateChain, privateKey]);
+            this._logger.info(`Updated certificate chain key map for server ${serverId}`);
+        }
+        else {
+            this._logger.error(`Server ${serverId} not found in the map`);
+        }
+    }
+}
+//# sourceMappingURL=acme.js.map

package/dist/certificate/client/acme.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acme.js","sourceRoot":"","sources":["../../../src/certificate/client/acme.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,sCAAsC;AAItC,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,8BAA8B,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAEjG,MAAM,OAAO,IAAI;IACE,aAAa,GAAW,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC;IAC3D,MAAM,CAAqB;IAC3B,eAAe,GAAG;QACjC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,YAAY;KACnB,CAAC;IACF,yDAAyD;IACjD,wBAAwB,GAAkC,IAAI,GAAG,EAAE,CAAC;IAEpE,OAAO,CAAqB;IAC5B,OAAO,CAAkB;IAEjC,YAAY,MAAoB,EAAE,MAAwB,EAAE,MAAe;QACzE,IAAI,CAAC,OAAO,GAAG,MAAM;YACnB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,CAAC,IAAI,MAAM,CAAU,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;QAEzD,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YAChE,IAAI,MAAM,CAAC,eAAe,KAAK,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC;oBACH,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE;wBAC3C,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,2BAAqC,EAAE,MAAM,CAAC;wBACrE,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,mCAA6C,EAAE,MAAM,CAAC;qBAC9E,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC,OAAO,CAAC,KAAK,CAChB,qFAAqF,EACrF,MAAM,EACN,KAAK,CACN,CAAC;oBACF,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC;QAC7E,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAChC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,EAAE,IAAI,EAAE,kBAA4B,CACvF,CAAC;QACF,MAAM,OAAO,GACX,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,iBAAiB,EAAE,IAAI,EAAE,GAAG,CAAC;QAChE,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;YAC7B,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC,OAAO;YACV,MAAM;gBACN,IAAI,IAAI,CAAC,MAAM,CAAC;oBACd,YAAY,EAAE,IAAI,CAAC,aAAa;oBAChC,UAAU,EAAE,UAAU,CAAC,QAAQ,EAAE;iBAClC,CAAC,CAAC;IACP,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB;QACxB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,iCAAiC,IAAI,CAAC,eAAe,CAAC,IAAI,MAAM,CAAC,CAAC;QAE/F,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,2BAA2B,CAAC,SAAiB;QACjD,MAAM,UAAU,GAAG,wEAAwE,CAAC;QAE5F,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC;YACpC,GAAG,EAAE,SAAS;YACd,KAAK,EAAE,IAAI,CAAC,MAAM;YAClB,oBAAoB,EAAE,IAAI;YAC1B,cAAc,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI;YACzC,iBAAiB,EAAE,CAAC,SAAS,CAAC;YAC9B,yBAAyB,EAAE,IAAI;YAC/B,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,EAAE;gBAC9D,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;gBACpD,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;gBACpD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;oBAC9C,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,sBAAsB,UAAU,EAAE,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,6BAA6B,UAAU,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,MAAM,YAAY,GAAG,gBAAgB,CAAC;gBACtC,IAAI,CAAC,OAAO,CAAC,KAAK,CAChB,+BAA+B,YAAY,QAAQ,KAAK,CAAC,UAAU,CAAC,KAAK,aAAa,QAAQ,EAAE,CACjG,CAAC;gBACF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YAC3C,CAAC;YACD,iBAAiB,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,EAAE;gBACjE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,gDAAgD,UAAU,EAAE,CAAC,CAAC;gBACjF,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1D,CAAC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,wBAAwB,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACvE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QACD,MAAM,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC,GAAG,SAAS,CAAC;QAC3D,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,qCAAqC,QAAQ,KAAK,SAAS,EAAE,CAAC,CAAC;QAElF,MAAM,cAAc,GAAa,wBAAwB,CAAC,SAAS,CAAC,CAAC;QACrE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,4BAA4B,cAAc,CAAC,MAAM,4CAA4C,CAC9F,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,6BAA6B,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAEpE,MAAM,aAAa,GAAW,8BAA8B,CAC1D,SAAS,EACT,cAAc,CAAC,CAAC,CAAC,EACjB,eAAe,CAChB,CAAC,MAAM,EAAE,CAAC;QAEX,+DAA+D;QAC/D,cAAc,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACtD,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,4BAA4B,CAC1B,QAAgB,EAChB,gBAAwB,EACxB,UAAkB;QAElB,IAAI,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC,CAAC;YAC5E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,gDAAgD,QAAQ,EAAE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,QAAQ,uBAAuB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF"}

package/dist/certificate/client/hubject.d.ts

@@ -0,0 +1,41 @@
+import type { IV2GCertificateAuthorityClient } from './interface.js';
+import { type ICache, type SystemConfig } from '@citrineos/base';
+import type { ILogObj } from 'tslog';
+import { Logger } from 'tslog';
+export declare class Hubject implements IV2GCertificateAuthorityClient {
+    private readonly _baseUrl;
+    private readonly _tokenUrl;
+    private readonly _clientId;
+    private readonly _clientSecret;
+    private readonly _logger;
+    private readonly _cache;
+    private static readonly AUTH_TOKEN_CACHE_KEY;
+    private static readonly AUTH_TOKEN_CACHE_NAMESPACE;
+    constructor(config: SystemConfig, cache: ICache, logger?: Logger<ILogObj>);
+    /**
+     * Retrieves a signed certificate based on the provided CSR.
+     * DOC: https://hubject.stoplight.io/docs/open-plugncharge/486f0b8b3ded4-simple-enroll-iso-15118-2-and-iso-15118-20
+     *
+     * @param {string} csrString - The certificate signing request from SignCertificateRequest.
+     * @return {Promise<string>} The signed certificate without header and footer.
+     */
+    getSignedCertificate(csrString: string): Promise<string>;
+    /**
+     * Retrieves the CA certificates including sub CAs and root CA.
+     * DOC: https://hubject.stoplight.io/docs/open-plugncharge/e246aa213bc22-obtaining-ca-certificates-iso-15118-2-and-iso-15118-20
+     *
+     * @return {Promise<string>} The CA certificates.
+     */
+    getCACertificates(): Promise<string>;
+    getSignedContractData(xsdMsgDefNamespace: string, certificateInstallationReq: string): Promise<string>;
+    /**
+     * Retrieves all root certificates from Hubject.
+     * Refer to https://hubject.stoplight.io/docs/open-plugncharge/fdc9bdfdd4fb2-get-all-root-certificates
+     *
+     * @return {Promise<string[]>} Array of root certificate.
+     */
+    getRootCertificates(): Promise<string[]>;
+    private _getAuthorizationToken;
+    private _fetchNewToken;
+    private _makeAuthenticatedRequest;
+}