core-3nweb-client-lib 0.40.1 → 0.41.1

package/build/api-defs/files.d.ts

@@ -48,6 +48,7 @@ declare namespace web3n.files {
 		remoteNotSet?: true;
 		notLinkableFile?: true;
 		notLinkableFolder?: true;
+		badFnCallArguments?: true;
 	}
 
 	interface exceptionCode {

package/build/api-defs/mailerid.d.ts

@@ -1,5 +1,5 @@
 /*
- Copyright (C) 2020 3NSoft Inc.
+ Copyright (C) 2020, 2025 3NSoft Inc.
 
  This program is free software: you can redistribute it and/or modify it under
  the terms of the GNU General Public License as published by the Free Software
@@ -20,10 +20,36 @@ declare namespace web3n.mailerid {
 
 	interface Service {
 
+		/**
+		 * Returns MailerId/address of a current user.
+		 */
 		getUserId(): Promise<string>;
 
+		/**
+		 * Performs a MailerId-based login at a given url, returning session id.
+		 * @param serviceUrl 
+		 */
 		login(serviceUrl: string): Promise<string>;
 
+		/**
+		 * Signs given payload with current identity, returning object with
+		 * signature and a complete MailerId certificates' chain of a used key.
+		 * @param payload 
+		 */
+		sign(payload: Uint8Array): Promise<MailerIdSignature>;
+
+		/**
+		 * Verifies given signature, returning true if it is ok.
+		 * Since this is a check of MailerId signature, root certificate of a
+		 * respective identity provider would have to be retrieved with a chance
+		 * of related exceptions being thrown.
+		 * @param midSignature 
+		 */
+		verifySignature(midSignature: MailerIdSignature): Promise<{
+			cryptoCheck: boolean;
+			midProviderCheck?: MailerIdProviderCheckResult;
+		}>;
+
 	}
 
 	interface MailerIdAssertionLoad {
@@ -34,4 +60,28 @@ declare namespace web3n.mailerid {
 		expiresAt: number;
 	}
 
+	interface MailerIdSignature {
+		rootMidCert: keys.SignedLoad;
+		provCert: keys.SignedLoad;
+		signeeCert: keys.SignedLoad;
+		signature: keys.SignedLoad;
+	}
+
+	type MailerIdProviderCheckResult =
+		'all-ok'
+		| 'unknown-root-cert'
+		| 'not-current-provider'
+		|'dns-not-set'
+		| 'offline-no-check'
+		| 'other-fail';
+
+	interface MailerIdException extends RuntimeException {
+		type: 'mailerid';
+		algMismatch?: true;
+		timeMismatch?: true;
+		certsMismatch?: true;
+		certMalformed?: true;
+		sigVerificationFails?: true;
+	}
+
 }

package/build/core/asmail/key-verification.d.ts

@@ -1,6 +1,7 @@
 import { ServiceLocator } from '../../lib-client/service-locator';
 import { NetClient } from '../../lib-client/request-utils';
 type JsonKey = web3n.keys.JsonKey;
+type SignedLoad = web3n.keys.SignedLoad;
 type PKeyCertChain = web3n.keys.PKeyCertChain;
 /**
  * This returns a promise, resolvable to public key, when certificates'
@@ -12,6 +13,10 @@ type PKeyCertChain = web3n.keys.PKeyCertChain;
  * @param certs is an object with a MailerId certificates chain for a public key
  */
 export declare function checkAndExtractPKey(client: NetClient, resolver: ServiceLocator, address: string, certs: PKeyCertChain): Promise<JsonKey>;
+export declare function getRootCertForKey(kid: string, resolver: ServiceLocator, client: NetClient, address: string): Promise<{
+    domain: string;
+    rootCert: SignedLoad;
+}>;
 /**
  * This returns a promise, resolvable to public key and related address, when
  * certificates' verification is successful, and rejectable in all other cases.

package/build/core/asmail/key-verification.js

@@ -17,11 +17,13 @@
 */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkAndExtractPKey = checkAndExtractPKey;
+exports.getRootCertForKey = getRootCertForKey;
 exports.checkAndExtractPKeyWithAddress = checkAndExtractPKeyWithAddress;
 const canonical_address_1 = require("../../lib-common/canonical-address");
-const mid_sigs_NaCl_Ed_1 = require("../../lib-common/mid-sigs-NaCl-Ed");
 const jwkeys_1 = require("../../lib-common/jwkeys");
 const service_locator_1 = require("../../lib-client/service-locator");
+const relying_party_1 = require("../../lib-common/mailerid-sigs/relying-party");
+const mailerid_sigs_1 = require("../../lib-common/mailerid-sigs");
 /**
  * This returns a promise, resolvable to public key, when certificates'
  * verification is successful, and rejectable in all other cases.
@@ -36,7 +38,7 @@ async function checkAndExtractPKey(client, resolver, address, certs) {
     const validAt = Math.round(Date.now() / 1000);
     // get MailerId provider's info with a root certificate(s)
     const { domain: rootAddr, rootCert } = await getRootCertForKey(certs.provCert.kid, resolver, client, address);
-    const pkey = mid_sigs_NaCl_Ed_1.relyingParty.verifyPubKey(certs.pkeyCert, address, { user: certs.userCert, prov: certs.provCert, root: rootCert }, rootAddr, validAt);
+    const pkey = (0, relying_party_1.verifyPubKey)(certs.pkeyCert, address, { user: certs.userCert, prov: certs.provCert, root: rootCert }, rootAddr, validAt);
     return pkey;
 }
 async function getRootCertForKey(kid, resolver, client, address) {
@@ -72,11 +74,11 @@ async function checkAndExtractPKeyWithAddress(client, resolver, certs, validAt)
         address = (0, jwkeys_1.getKeyCert)(certs.pkeyCert).cert.principal.address;
     }
     catch (err) {
-        throw (0, mid_sigs_NaCl_Ed_1.makeMalformedCertsException)(`Cannot read public key certificate`, err);
+        throw (0, mailerid_sigs_1.makeMalformedCertsException)(`Cannot read public key certificate`, err);
     }
     // get MailerId provider's info with a root certificate(s)
     const { domain: rootAddr, rootCert } = await getRootCertForKey(certs.provCert.kid, resolver, client, address);
-    const pkey = mid_sigs_NaCl_Ed_1.relyingParty.verifyPubKey(certs.pkeyCert, address, { user: certs.userCert, prov: certs.provCert, root: rootCert }, rootAddr, validAt);
+    const pkey = (0, relying_party_1.verifyPubKey)(certs.pkeyCert, address, { user: certs.userCert, prov: certs.provCert, root: rootCert }, rootAddr, validAt);
     return { address, pkey };
 }
 Object.freeze(exports);

package/build/core/id-manager/index.d.ts

@@ -1,8 +1,8 @@
-import { user as mid } from '../../lib-common/mid-sigs-NaCl-Ed';
 import { GenerateKey } from '../startup/sign-in';
 import { LogError, LogWarning } from '../../lib-client/logging/log-to-file';
 import { NetClient } from '../../lib-client/request-utils';
 import { ServiceLocator } from '../../lib-client/service-locator';
+import { MailerIdSigner } from '../../lib-common/mailerid-sigs/user';
 type JsonKey = web3n.keys.JsonKey;
 type WritableFS = web3n.files.WritableFS;
 /**
@@ -17,7 +17,7 @@ export interface CompleteProvisioning {
 /**
  * This returns a promise, resolvable to mailerId signer.
  */
-export type GetSigner = () => Promise<mid.MailerIdSigner>;
+export type GetSigner = () => Promise<MailerIdSigner>;
 export type SetupManagerStorage = (fs: WritableFS, keysToSave?: JsonKey[]) => Promise<void>;
 export declare class IdManager {
     private readonly store;

package/build/core/id-manager/index.js

@@ -23,6 +23,9 @@ const jwkeys_1 = require("../../lib-common/jwkeys");
 const synced_1 = require("../../lib-common/processes/synced");
 const login_1 = require("../../lib-client/mailer-id/login");
 const key_storage_1 = require("./key-storage");
+const relying_party_1 = require("../../lib-common/mailerid-sigs/relying-party");
+const key_verification_1 = require("../asmail/key-verification");
+const json_utils_1 = require("../../lib-common/json-utils");
 const CERTIFICATE_DURATION_SECONDS = 16 * 60 * 60;
 const ASSERTION_VALIDITY = 15 * 60;
 const MIN_SECS_LEFT_ASSUMED_OK = 10 * 60;
@@ -157,6 +160,33 @@ class IdManager {
             login: async (serviceUrl) => {
                 const signer = await this.getSigner();
                 return doMidLogin(serviceUrl, this.getId(), this.makeNet(), signer);
+            },
+            sign: async (content) => {
+                const signer = await this.getSigner();
+                const { signature, signeeCert, provCert } = signer.sign(content);
+                const { rootCert: rootMidCert } = await (0, key_verification_1.getRootCertForKey)(signer.providerCert.kid, this.midServiceFor, this.makeNet(), signer.address);
+                return { signature, signeeCert, provCert, rootMidCert };
+            },
+            verifySignature: async (midSig) => {
+                const { signature, signeeCert, provCert, rootMidCert } = midSig;
+                const cryptoCheck = (0, relying_party_1.verifySignature)(rootMidCert, provCert, signeeCert, signature);
+                if (!cryptoCheck) {
+                    return { cryptoCheck };
+                }
+                try {
+                    const { rootCert, domain } = await (0, key_verification_1.getRootCertForKey)(rootMidCert.kid, this.midServiceFor, this.makeNet(), (0, jwkeys_1.getKeyCert)(signeeCert).cert.principal.address);
+                    if ((0, json_utils_1.deepEqual)(rootCert, rootMidCert)) {
+                        return { cryptoCheck, midProviderCheck: 'all-ok' };
+                    }
+                    else {
+                        // XXX indicate more specific error cases
+                        return { cryptoCheck, midProviderCheck: 'other-fail' };
+                    }
+                }
+                catch (err) {
+                    // XXX indicate more specific error cases
+                    return { cryptoCheck, midProviderCheck: 'other-fail' };
+                }
             }
         };
         return Object.freeze(w);

package/build/core/id-manager/mailerid-cap-ipc.js

@@ -23,7 +23,9 @@ const service_side_wrap_1 = require("../../core-ipc/json-ipc-wrapping/service-si
 function exposeMailerIdCAP(cap) {
     return {
         getUserId: (0, service_side_wrap_1.wrapReqReplySrvMethod)(cap, 'getUserId'),
-        login: (0, service_side_wrap_1.wrapReqReplySrvMethod)(cap, 'login')
+        login: (0, service_side_wrap_1.wrapReqReplySrvMethod)(cap, 'login'),
+        sign: (0, service_side_wrap_1.wrapReqReplySrvMethod)(cap, 'sign'),
+        verifySignature: (0, service_side_wrap_1.wrapReqReplySrvMethod)(cap, 'verifySignature')
     };
 }
 function callMailerId(caller, objPath, method) {
@@ -32,7 +34,9 @@ function callMailerId(caller, objPath, method) {
 function makeMailerIdCaller(caller, objPath) {
     return {
         getUserId: callMailerId(caller, objPath, 'getUserId'),
-        login: callMailerId(caller, objPath, 'login')
+        login: callMailerId(caller, objPath, 'login'),
+        sign: callMailerId(caller, objPath, 'sign'),
+        verifySignature: callMailerId(caller, objPath, 'verifySignature')
     };
 }
 Object.freeze(exports);

package/build/core-ipc/json-ipc-wrapping/json-n-binary.js

@@ -187,7 +187,7 @@ function deserializeArgs(bytes, passedByReference) {
             args.push(arg);
         }
         else {
-            // XXX throw error here
+            args.push(undefined);
         }
     }
     return args;

package/build/lib-client/asmail/sender.d.ts

@@ -3,8 +3,8 @@
  */
 import { NetClient } from '../request-utils';
 import * as api from '../../lib-common/service-api/asmail/delivery';
-import { user as mid } from '../../lib-common/mid-sigs-NaCl-Ed';
 import { ServiceLocator } from '../service-locator';
+import { MailerIdSigner } from '../../lib-common/mailerid-sigs/user';
 export type FirstSaveReqOpts = api.PutObjFirstQueryOpts;
 export type FollowingSaveReqOpts = api.PutObjSecondQueryOpts;
 export type ServiceUrlGetter = (address: string) => Promise<string>;
@@ -97,7 +97,7 @@ export declare class MailSender {
      * Rejected promise passes an error object, conditionally containing
      * status field.
      */
-    authorizeSender(assertionSigner: mid.MailerIdSigner): Promise<void>;
+    authorizeSender(assertionSigner: MailerIdSigner): Promise<void>;
     /**
      * This gets recipients initial public key to launch message exchange.
      * @return a promise resolvable to certificates, received from server.

package/build/lib-client/asmail/sender.js

@@ -1,6 +1,6 @@
 "use strict";
 /*
- Copyright (C) 2015, 2017, 2020 3NSoft Inc.
+ Copyright (C) 2015, 2017, 2020, 2025 3NSoft Inc.
  
  This program is free software: you can redistribute it and/or modify it under
  the terms of the GNU General Public License as published by the Free Software

package/build/lib-client/mailer-id/login.d.ts

@@ -1,6 +1,6 @@
 import { NetClient } from '../request-utils';
 import { HTTPException } from '../../lib-common/exceptions/http';
-import { user as mid } from '../../lib-common/mid-sigs-NaCl-Ed';
+import { MailerIdSigner } from '../../lib-common/mailerid-sigs/user';
 export interface LoginException extends HTTPException {
     loginFailed?: boolean;
     unknownUser?: boolean;
@@ -9,4 +9,4 @@ export declare function startMidSession(userId: string, net: NetClient, loginUrl
     sessionId?: string;
     redirect?: string;
 }>;
-export declare function authenticateMidSession(sessionId: string, midSigner: mid.MailerIdSigner, net: NetClient, loginUrl: string): Promise<void>;
+export declare function authenticateMidSession(sessionId: string, midSigner: MailerIdSigner, net: NetClient, loginUrl: string): Promise<void>;

package/build/lib-client/mailer-id/login.js

@@ -1,6 +1,6 @@
 "use strict";
 /*
- Copyright (C) 2015, 2017, 2020 3NSoft Inc.
+ Copyright (C) 2015, 2017, 2020, 2025 3NSoft Inc.
  
  This program is free software: you can redistribute it and/or modify it under
  the terms of the GNU General Public License as published by the Free Software

package/build/lib-client/mailer-id/provisioner.d.ts

@@ -1,10 +1,10 @@
 import { NetClient } from '../request-utils';
 import { ServiceUser, ICalcDHSharedKey, LoginCompletion } from '../user-with-pkl-session';
-import * as mid from '../../lib-common/mid-sigs-NaCl-Ed';
+import { MailerIdSigner } from '../../lib-common/mailerid-sigs/user';
 export interface ProvisioningCompletion {
     keyParams: any;
     serverPKey: Uint8Array;
-    complete(dhsharedKeyCalc: ICalcDHSharedKey, certDuration: number, assertDuration?: number): Promise<mid.user.MailerIdSigner>;
+    complete(dhsharedKeyCalc: ICalcDHSharedKey, certDuration: number, assertDuration?: number): Promise<MailerIdSigner>;
 }
 /**
  * Certificate provisioner is an object that can do all MailerId's provisioning

package/build/lib-client/mailer-id/provisioner.js

@@ -1,6 +1,6 @@
 "use strict";
 /*
- Copyright (C) 2015 - 2017, 2021 3NSoft Inc.
+ Copyright (C) 2015 - 2017, 2021, 2025 3NSoft Inc.
  
  This program is free software: you can redistribute it and/or modify it under
  the terms of the GNU General Public License as published by the Free Software
@@ -23,11 +23,12 @@ const user_with_pkl_session_1 = require("../user-with-pkl-session");
 const jwkeys_1 = require("../../lib-common/jwkeys");
 const json_utils_1 = require("../../lib-common/json-utils");
 const canonical_address_1 = require("../../lib-common/canonical-address");
-const mid = require("../../lib-common/mid-sigs-NaCl-Ed");
 const random = require("../../lib-common/random-node");
 const api = require("../../lib-common/service-api/mailer-id/provisioning");
 const url_1 = require("url");
 const assert_1 = require("../../lib-common/assert");
+const user_1 = require("../../lib-common/mailerid-sigs/user");
+const relying_party_1 = require("../../lib-common/mailerid-sigs/relying-party");
 const DEFAULT_ASSERTION_VALIDITY = 20 * 60;
 /**
  * Certificate provisioner is an object that can do all MailerId's provisioning
@@ -94,8 +95,7 @@ class MailerIdProvisioner extends user_with_pkl_session_1.ServiceUser {
                 if (!certs.userCert || !certs.provCert) {
                     throw (0, request_utils_1.makeException)(rep, 'Malformed reply: Certificates are missing.');
                 }
-                const pkeyAndId = mid.relyingParty.verifyChainAndGetUserKey({ user: certs.userCert, prov: certs.provCert,
-                    root: this.rootCert }, this.midDomain, (0, jwkeys_1.getKeyCert)(certs.userCert).issuedAt + 1);
+                const pkeyAndId = (0, relying_party_1.verifyChainAndGetUserKey)({ user: certs.userCert, prov: certs.provCert, root: this.rootCert }, this.midDomain, (0, jwkeys_1.getKeyCert)(certs.userCert).issuedAt + 1);
                 if (pkeyAndId.address !== (0, canonical_address_1.toCanonicalAddress)(this.userId)) {
                     throw (0, request_utils_1.makeException)(rep, 'Malformed reply: Certificate is for a wrong address.');
                 }
@@ -133,13 +133,13 @@ class MailerIdProvisioner extends user_with_pkl_session_1.ServiceUser {
      * Undefined value means that a default key should be used.
      */
     async provisionSigner(keyId) {
-        const pair = mid.user.generateSigningKeyPair(random.bytesSync);
+        const pair = (0, user_1.generateSigningKeyPair)(random.bytesSync);
         await this.setUrlAndDomain();
         const login = await this.super_login(keyId);
         const completion = async (dhsharedKeyCalc, certDuration, assertDuration = DEFAULT_ASSERTION_VALIDITY) => {
             await login.complete(dhsharedKeyCalc);
             await this.getCertificates(pair.pkey, certDuration);
-            return mid.user.makeMailerIdSigner(pair.skey, this.userCert, this.provCert, assertDuration);
+            return (0, user_1.makeMailerIdSigner)(pair.skey, this.userCert, this.provCert, assertDuration);
         };
         return {
             keyParams: login.keyParams,

package/build/lib-client/user-with-mid-session.d.ts

@@ -3,9 +3,9 @@
  * MailerId and uses respectively authenticated session.
  */
 import { Reply, RequestOpts, NetClient } from '../lib-client/request-utils';
-import { user as mid } from '../lib-common/mid-sigs-NaCl-Ed';
 import * as WebSocket from 'ws';
-export type IGetMailerIdSigner = () => Promise<mid.MailerIdSigner>;
+import { MailerIdSigner } from '../lib-common/mailerid-sigs/user';
+export type IGetMailerIdSigner = () => Promise<MailerIdSigner>;
 export interface ServiceAccessParams {
     login: string;
     logout: string;
@@ -44,7 +44,7 @@ export declare abstract class ServiceUser {
      * @return a promise, resolvable, when mailerId login successfully
      * completes.
      */
-    login(midSigner?: mid.MailerIdSigner): Promise<void>;
+    login(midSigner?: MailerIdSigner): Promise<void>;
     /**
      * This method closes current session.
      * @return a promise for request completion.

package/build/lib-client/user-with-mid-session.js

@@ -1,6 +1,6 @@
 "use strict";
 /*
- Copyright (C) 2015, 2017, 2020, 2022 3NSoft Inc.
+ Copyright (C) 2015, 2017, 2020, 2022, 2025 3NSoft Inc.
  
  This program is free software: you can redistribute it and/or modify it under
  the terms of the GNU General Public License as published by the Free Software

package/build/lib-client/xsp-fs/folder-node.js

@@ -462,6 +462,9 @@ class FolderNode extends node_in_fs_1.NodeInFS {
         return { node, key };
     }
     create(type, name, exclusive, changes, linkParams) {
+        if ((typeof name !== 'string') || (name.length === 0)) {
+            throw (0, file_1.makeFileException)('badFnCallArguments', name, `Given name is invalid for making ${type} node`);
+        }
         return this.doChange(true, async () => {
             // do check for concurrent creation of a node
             if (this.getNodeInfo(name, true)) {

package/build/lib-common/mailerid-sigs/id-provider.d.ts

@@ -0,0 +1,64 @@
+import { GetRandom, arrays } from "ecma-nacl";
+type JsonKey = web3n.keys.JsonKey;
+type SignedLoad = web3n.keys.SignedLoad;
+export declare const KID_BYTES_LENGTH = 9;
+export declare const MAX_USER_CERT_VALIDITY: number;
+export declare function makeSelfSignedCert(address: string, validityPeriod: number, sjkey: JsonKey, arrFactory?: arrays.Factory): SignedLoad;
+/**
+ * One should keep MailerId root key offline, as this key is used only to
+ * sign provider keys, which have to work online.
+ * @param address is an address of an issuer
+ * @param validityPeriod validity period of a generated self-signed
+ * certificate in milliseconds
+ * @param random
+ * @param arrFactory optional array factory
+ * @return Generated root key and a self-signed certificate for respective
+ * public key.
+ */
+export declare function generateRootKey(address: string, validityPeriod: number, random: GetRandom, arrFactory?: arrays.Factory): {
+    cert: SignedLoad;
+    skey: JsonKey;
+};
+/**
+ * @param address is an address of an issuer
+ * @param validityPeriod validity period of a generated self-signed
+ * certificate in seconds
+ * @param rootJKey root key in json format
+ * @param random
+ * @param arrFactory optional array factory
+ * @return Generated provider's key and a certificate for a respective
+ * public key.
+ */
+export declare function generateProviderKey(address: string, validityPeriod: number, rootJKey: JsonKey, random: GetRandom, arrFactory?: arrays.Factory): {
+    cert: SignedLoad;
+    skey: JsonKey;
+};
+/**
+ * MailerId providing service should use this object to generate certificates.
+ */
+export interface IdProviderCertifier {
+    /**
+     * @param publicKey
+     * @param address
+     * @param validFor (optional)
+     * @return certificate for a given key
+     */
+    certify(publicKey: JsonKey, address: string, validFor?: number): SignedLoad;
+    /**
+     * This securely erases internal key.
+     * Call this function, when certifier is no longer needed.
+     */
+    destroy(): void;
+}
+/**
+ * @param issuer is a domain of certificate issuer, at which issuer's public
+ * key can be found to check the signature
+ * @param validityPeriod is a default validity period in seconds, for
+ * which certifier shall be making certificates
+ * @param signJKey is a certificates signing key
+ * @param arrFactory is an optional array factory
+ * @return MailerId certificates generator, which shall be used on identity
+ * provider's side
+ */
+export declare function makeIdProviderCertifier(issuer: string, validityPeriod: number, signJKey: JsonKey, arrFactory?: arrays.Factory): IdProviderCertifier;
+export {};

package/build/lib-common/mailerid-sigs/id-provider.js

@@ -0,0 +1,174 @@
+"use strict";
+/*
+ Copyright (C) 2015 - 2017, 2025 3NSoft Inc.
+ 
+ This program is free software: you can redistribute it and/or modify it under
+ the terms of the GNU General Public License as published by the Free Software
+ Foundation, either version 3 of the License, or (at your option) any later
+ version.
+ 
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ See the GNU General Public License for more details.
+ 
+ You should have received a copy of the GNU General Public License along with
+ this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_USER_CERT_VALIDITY = exports.KID_BYTES_LENGTH = void 0;
+exports.makeSelfSignedCert = makeSelfSignedCert;
+exports.generateRootKey = generateRootKey;
+exports.generateProviderKey = generateProviderKey;
+exports.makeIdProviderCertifier = makeIdProviderCertifier;
+const ecma_nacl_1 = require("ecma-nacl");
+const jwkeys_1 = require("../jwkeys");
+const buffer_utils_1 = require("../buffer-utils");
+const index_1 = require("./index");
+function genSignKeyPair(use, kidLen, random, arrFactory) {
+    const pair = ecma_nacl_1.signing.generate_keypair(random(32), arrFactory);
+    const pkey = {
+        use: use,
+        alg: ecma_nacl_1.signing.JWK_ALG_NAME,
+        kid: buffer_utils_1.base64.pack(random(kidLen)),
+        k: buffer_utils_1.base64.pack(pair.pkey)
+    };
+    const skey = {
+        use: pkey.use,
+        alg: pkey.alg,
+        kid: pkey.kid,
+        k: pair.skey
+    };
+    return { pkey: pkey, skey: skey };
+}
+function makeCert(pkey, principalAddr, issuer, issuedAt, expiresAt, signKey, arrFactory) {
+    if (signKey.alg !== ecma_nacl_1.signing.JWK_ALG_NAME) {
+        throw (0, index_1.makeMailerIdException)({ algMismatch: true }, { message: `Given signing key is used with unknown algorithm ${signKey.alg}` });
+    }
+    const cert = {
+        cert: {
+            publicKey: pkey,
+            principal: { address: principalAddr }
+        },
+        issuer: issuer,
+        issuedAt: issuedAt,
+        expiresAt: expiresAt
+    };
+    const certBytes = buffer_utils_1.utf8.pack(JSON.stringify(cert));
+    const sigBytes = ecma_nacl_1.signing.signature(certBytes, signKey.k, arrFactory);
+    return {
+        alg: signKey.alg,
+        kid: signKey.kid,
+        sig: buffer_utils_1.base64.pack(sigBytes),
+        load: buffer_utils_1.base64.pack(certBytes)
+    };
+}
+exports.KID_BYTES_LENGTH = 9;
+exports.MAX_USER_CERT_VALIDITY = 24 * 60 * 60;
+function makeSelfSignedCert(address, validityPeriod, sjkey, arrFactory) {
+    const skey = (0, jwkeys_1.keyFromJson)(sjkey, index_1.KEY_USE.ROOT, ecma_nacl_1.signing.JWK_ALG_NAME, ecma_nacl_1.signing.SECRET_KEY_LENGTH);
+    const pkey = {
+        use: sjkey.use,
+        alg: sjkey.alg,
+        kid: sjkey.kid,
+        k: buffer_utils_1.base64.pack(ecma_nacl_1.signing.extract_pkey(skey.k))
+    };
+    const now = Math.floor(Date.now() / 1000);
+    return makeCert(pkey, address, address, now, now + validityPeriod, skey, arrFactory);
+}
+/**
+ * One should keep MailerId root key offline, as this key is used only to
+ * sign provider keys, which have to work online.
+ * @param address is an address of an issuer
+ * @param validityPeriod validity period of a generated self-signed
+ * certificate in milliseconds
+ * @param random
+ * @param arrFactory optional array factory
+ * @return Generated root key and a self-signed certificate for respective
+ * public key.
+ */
+function generateRootKey(address, validityPeriod, random, arrFactory) {
+    if (validityPeriod < 1) {
+        throw new Error(`Illegal validity period: ${validityPeriod}`);
+    }
+    const rootPair = genSignKeyPair(index_1.KEY_USE.ROOT, exports.KID_BYTES_LENGTH, random, arrFactory);
+    const now = Math.floor(Date.now() / 1000);
+    const rootCert = makeCert(rootPair.pkey, address, address, now, now + validityPeriod, rootPair.skey, arrFactory);
+    return { cert: rootCert, skey: (0, jwkeys_1.keyToJson)(rootPair.skey) };
+}
+/**
+ * @param address is an address of an issuer
+ * @param validityPeriod validity period of a generated self-signed
+ * certificate in seconds
+ * @param rootJKey root key in json format
+ * @param random
+ * @param arrFactory optional array factory
+ * @return Generated provider's key and a certificate for a respective
+ * public key.
+ */
+function generateProviderKey(address, validityPeriod, rootJKey, random, arrFactory) {
+    if (validityPeriod < 1) {
+        throw new Error(`Illegal validity period: ${validityPeriod}`);
+    }
+    const rootKey = (0, jwkeys_1.keyFromJson)(rootJKey, index_1.KEY_USE.ROOT, ecma_nacl_1.signing.JWK_ALG_NAME, ecma_nacl_1.signing.SECRET_KEY_LENGTH);
+    const provPair = genSignKeyPair(index_1.KEY_USE.PROVIDER, exports.KID_BYTES_LENGTH, random, arrFactory);
+    const now = Math.floor(Date.now() / 1000);
+    const rootCert = makeCert(provPair.pkey, address, address, now, now + validityPeriod, rootKey, arrFactory);
+    return { cert: rootCert, skey: (0, jwkeys_1.keyToJson)(provPair.skey) };
+}
+/**
+ * @param issuer is a domain of certificate issuer, at which issuer's public
+ * key can be found to check the signature
+ * @param validityPeriod is a default validity period in seconds, for
+ * which certifier shall be making certificates
+ * @param signJKey is a certificates signing key
+ * @param arrFactory is an optional array factory
+ * @return MailerId certificates generator, which shall be used on identity
+ * provider's side
+ */
+function makeIdProviderCertifier(issuer, validityPeriod, signJKey, arrFactory) {
+    if (!issuer) {
+        throw new Error(`Given issuer is illegal: ${issuer}`);
+    }
+    if ((validityPeriod < 1) || (validityPeriod > exports.MAX_USER_CERT_VALIDITY)) {
+        throw new Error(`Given certificate validity is illegal: ${validityPeriod}`);
+    }
+    let signKey = (0, jwkeys_1.keyFromJson)(signJKey, index_1.KEY_USE.PROVIDER, ecma_nacl_1.signing.JWK_ALG_NAME, ecma_nacl_1.signing.SECRET_KEY_LENGTH);
+    signJKey = undefined;
+    if (!arrFactory) {
+        arrFactory = ecma_nacl_1.arrays.makeFactory();
+    }
+    return {
+        certify: (publicKey, address, validFor) => {
+            if (!signKey) {
+                throw new Error(`Certifier is already destroyed.`);
+            }
+            if (publicKey.use !== index_1.KEY_USE.SIGN) {
+                throw new Error(`Given public key has use ${publicKey.use} and cannot be used for signing.`);
+            }
+            if (typeof validFor === 'number') {
+                if (validFor > validityPeriod) {
+                    validFor = validityPeriod;
+                }
+                else if (validFor < 0) {
+                    new Error(`Given certificate validity is illegal: ${validFor}`);
+                }
+            }
+            else {
+                validFor = validityPeriod;
+            }
+            const now = Math.floor(Date.now() / 1000);
+            return makeCert(publicKey, address, issuer, now, now + validFor, signKey, arrFactory);
+        },
+        destroy: () => {
+            if (!signKey) {
+                return;
+            }
+            ecma_nacl_1.arrays.wipe(signKey.k);
+            signKey = undefined;
+            arrFactory.wipeRecycled();
+            arrFactory = undefined;
+        }
+    };
+}
+Object.freeze(exports);