micro509 0.1.0

package/dist/verify.d.ts

@@ -0,0 +1,5 @@
+import { DnsServiceIdentityInput, IpServiceIdentityInput, MatchServiceIdentityErrorCode, MatchServiceIdentityEvaluation, MatchServiceIdentityFailure, MatchServiceIdentityFailureDetails, MatchServiceIdentityFailureResult, MatchServiceIdentityInput, MatchServiceIdentityResult, MatchServiceIdentitySuccess, MatchableServiceIdentityInput, ServiceIdentityInput, ServiceIdentityType, SrvServiceIdentityInput, UriServiceIdentityInput, VerifyServiceIdentityInput, matchCertificateServiceIdentity, matchServiceIdentity } from "./verify/identity.js";
+import { InitialNameConstraintsInput } from "./verify/name-constraints.js";
+import { ConstrainedPolicy, PolicyValidationInput, PolicyValidationOutcome } from "./verify/policy.js";
+import { BuildCandidatePathInput, BuildCandidatePathResult, CandidatePath, CertificateSource, ChainRevocationInput, CsrSource, EkuCheckFailure, EkuCheckPurpose, EkuCheckResult, TrustAnchor, ValidateCandidatePathInput, ValidateCandidatePathResult, ValidateCandidatePathSuccess, ValidateForCaInput, ValidateForCodeSigningInput, ValidateForTlsClientInput, ValidateForTlsServerInput, VerifiedCertificateChain, VerifyCertificateChainInput, VerifyChainFailure, VerifyChainResult, VerifyErrorCode, VerifyFailureDetails, VerifyPurpose, VerifyRequestFailure, VerifyRequestResult, buildCandidatePath, checkExtendedKeyUsage, trustAnchorFromCertificate, validateCandidatePath, validateForCa, validateForCodeSigning, validateForTlsClient, validateForTlsServer, verifyCertificateChain, verifyCertificateSigningRequest } from "./verify/verify.js";
+export { type BuildCandidatePathInput, type BuildCandidatePathResult, type CandidatePath, type CertificateSource, type ChainRevocationInput, type ConstrainedPolicy, type CsrSource, type DnsServiceIdentityInput, type EkuCheckFailure, type EkuCheckPurpose, type EkuCheckResult, type InitialNameConstraintsInput, type IpServiceIdentityInput, type MatchServiceIdentityErrorCode, type MatchServiceIdentityEvaluation, type MatchServiceIdentityFailure, type MatchServiceIdentityFailureDetails, type MatchServiceIdentityFailureResult, type MatchServiceIdentityInput, type MatchServiceIdentityResult, type MatchServiceIdentitySuccess, type MatchableServiceIdentityInput, type PolicyValidationInput, type PolicyValidationOutcome, type ServiceIdentityInput, type ServiceIdentityType, type SrvServiceIdentityInput, type TrustAnchor, type UriServiceIdentityInput, type ValidateCandidatePathInput, type ValidateCandidatePathResult, type ValidateCandidatePathSuccess, type ValidateForCaInput, type ValidateForCodeSigningInput, type ValidateForTlsClientInput, type ValidateForTlsServerInput, type VerifiedCertificateChain, type VerifyCertificateChainInput, type VerifyChainFailure, type VerifyChainResult, type VerifyErrorCode, type VerifyFailureDetails, type VerifyPurpose, type VerifyRequestFailure, type VerifyRequestResult, type VerifyServiceIdentityInput, buildCandidatePath, checkExtendedKeyUsage, matchCertificateServiceIdentity, matchServiceIdentity, trustAnchorFromCertificate, validateCandidatePath, validateForCa, validateForCodeSigning, validateForTlsClient, validateForTlsServer, verifyCertificateChain, verifyCertificateSigningRequest };

package/dist/verify.js

@@ -0,0 +1 @@
+import{matchCertificateServiceIdentity as e,matchServiceIdentity as t}from"./verify/identity.js";import{buildCandidatePath as n,checkExtendedKeyUsage as r,trustAnchorFromCertificate as i,validateCandidatePath as a,validateForCa as o,validateForCodeSigning as s,validateForTlsClient as c,validateForTlsServer as l,verifyCertificateChain as u,verifyCertificateSigningRequest as d}from"./verify/verify.js";export{n as buildCandidatePath,r as checkExtendedKeyUsage,e as matchCertificateServiceIdentity,t as matchServiceIdentity,i as trustAnchorFromCertificate,a as validateCandidatePath,o as validateForCa,s as validateForCodeSigning,c as validateForTlsClient,l as validateForTlsServer,u as verifyCertificateChain,d as verifyCertificateSigningRequest};

package/dist/x509/certificate.d.ts

@@ -0,0 +1,191 @@
+import { KeyAlgorithmInput, KeyPairMaterial } from "../keys/keys.js";
+import { NameAttribute, NameFieldKey, NameInput, NameObject, RelativeDistinguishedNameInput, encodeName, encodeRelativeDistinguishedName } from "./name.js";
+import { AuthorityInfoAccessMethod, AuthorityInformationAccess, BasicConstraints, CertificateExtensionsInput, CertificatePolicies, CpsPolicyQualifierInfo, CustomAuthorityInfoAccessMethod, CustomExtendedKeyUsage, CustomExtension, CustomPolicyQualifierInfo, DistributionPoint, DistributionPointName, DistributionPointReason, ExtendedKeyUsage, GeneralName, GeneralSubtree, InhibitAnyPolicy, IssuingDistributionPoint, IssuingDistributionPointBase, IssuingDistributionPointForAttributeCerts, IssuingDistributionPointForCaCerts, IssuingDistributionPointForUserCerts, KeyUsage, KnownAuthorityInfoAccessMethod, KnownExtendedKeyUsage, NameConstraintForm, NameConstraints, ParsedNameConstraintForm, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyNoticeReference, PolicyQualifierInfo, SubjectAltName, UnsupportedNameConstraintForm, UserNoticePolicyQualifierInfo, buildCertificateExtensions, buildRequestedExtensions, encodeAuthorityInfoAccess, encodeBasicConstraints, encodeCertificatePolicies, encodeCrlDistributionPoints, encodeExtendedKeyUsage, encodeExtension, encodeInhibitAnyPolicy, encodeKeyUsage, encodeNameConstraints, encodePolicyConstraints, encodePolicyMappings, encodeSubjectAltName, getAuthorityInfoAccessMethodOid, getExtendedKeyUsageOid, parseAuthorityInfoAccessMethodOid, parseExtendedKeyUsageOid } from "./extensions.js";
+import { SignatureProfileInput } from "../internal/crypto/signing.js";
+
+//#region src/x509/certificate.d.ts
+/**
+* Configures the certificate validity window.
+*
+* If `notAfter` is omitted, it is derived from `notBefore` plus `days`. If both
+* `notAfter` and `days` are omitted, the certificate is valid for 30 days.
+*/
+interface ValidityInput {
+  /**
+  * Start of the validity window.
+  *
+  * Defaults to the current time.
+  */
+  readonly notBefore?: Date;
+  /**
+  * End of the validity window.
+  *
+  * Must be later than `notBefore`.
+  */
+  readonly notAfter?: Date;
+  /**
+  * Number of days to add to `notBefore` when `notAfter` is omitted.
+  */
+  readonly days?: number;
+}
+/**
+* Input for {@linkcode createCertificate}.
+*/
+interface CreateCertificateInput {
+  /**
+  * Issuer distinguished name.
+  */
+  readonly issuer: NameInput;
+  /**
+  * Subject distinguished name.
+  */
+  readonly subject: NameInput;
+  /**
+  * Subject public key to encode into the certificate.
+  */
+  readonly publicKey: CryptoKey;
+  /**
+  * Private key used to sign the certificate.
+  */
+  readonly signerPrivateKey: CryptoKey;
+  /**
+  * Issuer public key.
+  *
+  * Provide this when extension builders need issuer key material, such as
+  * authority key identifier derivation.
+  */
+  readonly issuerPublicKey?: CryptoKey;
+  /**
+  * Validity window configuration.
+  */
+  readonly validity?: ValidityInput;
+  /**
+  * DER integer bytes for the certificate serial number.
+  *
+  * When omitted, a random positive 16-byte serial number is generated.
+  */
+  readonly serialNumber?: Uint8Array;
+  /**
+  * X.509 extensions to encode into the certificate.
+  */
+  readonly extensions?: CertificateExtensionsInput;
+  /**
+  * Signature algorithm override.
+  *
+  * When omitted, the library selects a compatible profile from the signing
+  * key.
+  */
+  readonly signature?: SignatureProfileInput;
+}
+/**
+* Input for {@linkcode createSelfSignedCertificate}.
+*/
+interface CreateSelfSignedCertificateInput {
+  /**
+  * Subject distinguished name used as both subject and issuer.
+  */
+  readonly subject: NameInput;
+  /**
+  * Key generation parameters.
+  *
+  * Ignored when `keyPair` is provided.
+  */
+  readonly algorithm?: KeyAlgorithmInput;
+  /**
+  * Existing key pair to reuse for both subject and issuer.
+  *
+  * When omitted, a new key pair is generated.
+  */
+  readonly keyPair?: KeyPairMaterial;
+  /**
+  * Validity window configuration.
+  */
+  readonly validity?: ValidityInput;
+  /**
+  * DER integer bytes for the certificate serial number.
+  */
+  readonly serialNumber?: Uint8Array;
+  /**
+  * X.509 extensions to encode into the certificate.
+  */
+  readonly extensions?: CertificateExtensionsInput;
+  /**
+  * Signature algorithm override.
+  */
+  readonly signature?: SignatureProfileInput;
+}
+/**
+* Encoded certificate material in common interchange formats.
+*/
+interface CertificateMaterial {
+  /**
+  * DER-encoded certificate bytes.
+  */
+  readonly der: Uint8Array;
+  /**
+  * PEM-encoded certificate.
+  */
+  readonly pem: string;
+  /**
+  * Base64 encoding of {@linkcode der} without PEM armor.
+  */
+  readonly base64: string;
+}
+/**
+* Result returned by {@linkcode createSelfSignedCertificate}.
+*/
+interface SelfSignedCertificateResult {
+  /**
+  * Encoded certificate outputs.
+  */
+  readonly certificate: CertificateMaterial;
+  /**
+  * Key pair used to issue the certificate.
+  */
+  readonly keyPair: KeyPairMaterial;
+}
+/**
+* Create a self-signed certificate.
+*
+* Reuses `input.keyPair` when provided; otherwise generates a new key pair from
+* `input.algorithm`. The returned certificate uses `input.subject` as both
+* issuer and subject.
+*
+* @example
+* ```ts
+* const { certificate, keyPair } = await createSelfSignedCertificate({
+* 	subject: { commonName: 'example.com' },
+* 	algorithm: { kind: 'ecdsa', curve: 'P-256' },
+* });
+* ```
+*
+* @param input Certificate subject, key, validity, and extension settings.
+* @returns The certificate plus the key pair used to sign it.
+*/
+declare function createSelfSignedCertificate(input: CreateSelfSignedCertificateInput): Promise<SelfSignedCertificateResult>;
+/**
+* Create an X.509 certificate signed by `input.signerPrivateKey`.
+*
+* The certificate encodes `input.subject`, `input.publicKey`, and any supplied
+* extensions. When `serialNumber` is omitted, a random positive serial number is
+* generated. When `validity` is omitted, the certificate is valid from now for
+* 30 days.
+*
+* @example
+* ```ts
+* const certificate = await createCertificate({
+* 	issuer: { commonName: 'Example Root CA' },
+* 	subject: { commonName: 'example.com' },
+* 	publicKey: leafKeys.publicKey,
+* 	signerPrivateKey: issuerKeys.privateKey,
+* 	issuerPublicKey: issuerKeys.publicKey,
+* });
+* ```
+*
+* @param input Issuer, subject, key, validity, and extension settings.
+* @returns The encoded certificate material.
+*/
+declare function createCertificate(input: CreateCertificateInput): Promise<CertificateMaterial>;
+//#endregion
+export { type AuthorityInfoAccessMethod, type AuthorityInformationAccess, type BasicConstraints, type CertificateExtensionsInput, CertificateMaterial, type CertificatePolicies, type CpsPolicyQualifierInfo, CreateCertificateInput, CreateSelfSignedCertificateInput, type CustomAuthorityInfoAccessMethod, type CustomExtendedKeyUsage, type CustomExtension, type CustomPolicyQualifierInfo, type DistributionPoint, type DistributionPointName, type DistributionPointReason, type ExtendedKeyUsage, type GeneralName, type GeneralSubtree, type InhibitAnyPolicy, type IssuingDistributionPoint, type IssuingDistributionPointBase, type IssuingDistributionPointForAttributeCerts, type IssuingDistributionPointForCaCerts, type IssuingDistributionPointForUserCerts, type KeyUsage, type KnownAuthorityInfoAccessMethod, type KnownExtendedKeyUsage, type NameConstraintForm, type NameConstraints, type NameInput, type NameObject, type ParsedNameConstraintForm, type PolicyConstraints, type PolicyInformation, type PolicyMapping, type PolicyMappings, type PolicyNoticeReference, type PolicyQualifierInfo, SelfSignedCertificateResult, type SubjectAltName, type UnsupportedNameConstraintForm, type UserNoticePolicyQualifierInfo, ValidityInput, type buildCertificateExtensions, type buildRequestedExtensions, createCertificate, createSelfSignedCertificate, type encodeAuthorityInfoAccess, type encodeBasicConstraints, type encodeCertificatePolicies, type encodeCrlDistributionPoints, type encodeExtendedKeyUsage, type encodeExtension, type encodeInhibitAnyPolicy, type encodeKeyUsage, type encodeName, type encodeNameConstraints, type encodePolicyConstraints, type encodePolicyMappings, type encodeRelativeDistinguishedName, type encodeSubjectAltName, type getAuthorityInfoAccessMethodOid, type getExtendedKeyUsageOid, type parseAuthorityInfoAccessMethodOid, type parseExtendedKeyUsageOid };
+//# sourceMappingURL=certificate.d.ts.map

package/dist/x509/certificate.js

@@ -0,0 +1,2 @@
+import{bitString as e,explicitContext as t,integer as n,integerFromNumber as r,sequence as i,time as a}from"../internal/asn1/der.js";import{getCrypto as o}from"../internal/crypto/webcrypto.js";import{base64Encode as s}from"../internal/shared/base64.js";import{pemEncode as c}from"../pem/pem.js";import{exportSpkiDer as l,generateKeyPair as u}from"../keys/keys.js";import{encodeName as d,isNameInputEmpty as f}from"./name.js";import{buildCertificateExtensions as p}from"./extensions.js";import{encodeAlgorithmIdentifier as m,getSignatureAlgorithm as h,signBytes as g}from"../internal/crypto/signing.js";async function _(e){let t=e.keyPair??await u(e.algorithm);return{certificate:await v({issuer:e.subject,subject:e.subject,publicKey:t.publicKey,signerPrivateKey:t.privateKey,issuerPublicKey:t.publicKey,...e.validity===void 0?{}:{validity:e.validity},...e.serialNumber===void 0?{}:{serialNumber:e.serialNumber},...e.extensions===void 0?{}:{extensions:e.extensions},...e.signature===void 0?{}:{signature:e.signature}}),keyPair:t}}async function v(o){let s=await l(o.publicKey),c=o.issuerPublicKey?await l(o.issuerPublicKey):void 0,u=h(o.signerPrivateKey,o.signature),_=b(o.validity),v=f(o.subject),x=p(s,c,o.extensions,v),C=i([t(0,r(2)),n(o.serialNumber??S()),m(u),d(o.issuer),i([a(_.notBefore),a(_.notAfter)]),d(o.subject),s,t(3,i(x))]),w=await g(o.signerPrivateKey,u,C);return y(i([C,m(u),e(w)]))}function y(e){return{der:e,pem:c(`CERTIFICATE`,e),base64:s(e)}}function b(e){let t=e?.notBefore??new Date,n=e?.notAfter??x(t,e?.days??30);if(n.getTime()<=t.getTime())throw Error(`notAfter must be after notBefore`);return{notBefore:t,notAfter:n}}function x(e,t){let n=new Date(e.getTime());return n.setUTCDate(n.getUTCDate()+t),n}function S(){let e=o().getRandomValues(new Uint8Array(16));return e[0]=(e[0]??0)&127,(e[0]??0)===0&&(e[0]=1),e}export{v as createCertificate,_ as createSelfSignedCertificate};
+//# sourceMappingURL=certificate.js.map

package/dist/x509/certificate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.js","names":[],"sources":["../../src/x509/certificate.ts"],"sourcesContent":["/**\n * Create X.509 certificates from typed names, extensions, and WebCrypto keys.\n *\n * Use this module to issue a certificate from an existing issuer key pair or to\n * generate a self-signed certificate in one step.\n *\n * @module\n */\n\nimport {\n\tbitString,\n\texplicitContext,\n\tinteger,\n\tintegerFromNumber,\n\tsequence,\n\ttime,\n} from '#micro509/internal/asn1/der.ts';\nimport {\n\tencodeAlgorithmIdentifier,\n\tgetSignatureAlgorithm,\n\ttype SignatureProfileInput,\n\tsignBytes,\n} from '#micro509/internal/crypto/signing.ts';\nimport { getCrypto } from '#micro509/internal/crypto/webcrypto.ts';\nimport { base64Encode } from '#micro509/internal/shared/base64.ts';\nimport {\n\texportSpkiDer,\n\tgenerateKeyPair,\n\ttype KeyAlgorithmInput,\n\ttype KeyPairMaterial,\n} from '#micro509/keys/keys.ts';\nimport { pemEncode } from '#micro509/pem/pem.ts';\nimport { buildCertificateExtensions, type CertificateExtensionsInput } from './extensions.ts';\nimport { encodeName, isNameInputEmpty, type NameInput } from './name.ts';\n\nexport type * from './extensions.ts';\nexport type * from './name.ts';\n\n/**\n * Configures the certificate validity window.\n *\n * If `notAfter` is omitted, it is derived from `notBefore` plus `days`. If both\n * `notAfter` and `days` are omitted, the certificate is valid for 30 days.\n */\nexport interface ValidityInput {\n\t/**\n\t * Start of the validity window.\n\t *\n\t * Defaults to the current time.\n\t */\n\treadonly notBefore?: Date;\n\t/**\n\t * End of the validity window.\n\t *\n\t * Must be later than `notBefore`.\n\t */\n\treadonly notAfter?: Date;\n\t/**\n\t * Number of days to add to `notBefore` when `notAfter` is omitted.\n\t */\n\treadonly days?: number;\n}\n\n/**\n * Input for {@linkcode createCertificate}.\n */\nexport interface CreateCertificateInput {\n\t/**\n\t * Issuer distinguished name.\n\t */\n\treadonly issuer: NameInput;\n\t/**\n\t * Subject distinguished name.\n\t */\n\treadonly subject: NameInput;\n\t/**\n\t * Subject public key to encode into the certificate.\n\t */\n\treadonly publicKey: CryptoKey;\n\t/**\n\t * Private key used to sign the certificate.\n\t */\n\treadonly signerPrivateKey: CryptoKey;\n\t/**\n\t * Issuer public key.\n\t *\n\t * Provide this when extension builders need issuer key material, such as\n\t * authority key identifier derivation.\n\t */\n\treadonly issuerPublicKey?: CryptoKey;\n\t/**\n\t * Validity window configuration.\n\t */\n\treadonly validity?: ValidityInput;\n\t/**\n\t * DER integer bytes for the certificate serial number.\n\t *\n\t * When omitted, a random positive 16-byte serial number is generated.\n\t */\n\treadonly serialNumber?: Uint8Array;\n\t/**\n\t * X.509 extensions to encode into the certificate.\n\t */\n\treadonly extensions?: CertificateExtensionsInput;\n\t/**\n\t * Signature algorithm override.\n\t *\n\t * When omitted, the library selects a compatible profile from the signing\n\t * key.\n\t */\n\treadonly signature?: SignatureProfileInput;\n}\n\n/**\n * Input for {@linkcode createSelfSignedCertificate}.\n */\nexport interface CreateSelfSignedCertificateInput {\n\t/**\n\t * Subject distinguished name used as both subject and issuer.\n\t */\n\treadonly subject: NameInput;\n\t/**\n\t * Key generation parameters.\n\t *\n\t * Ignored when `keyPair` is provided.\n\t */\n\treadonly algorithm?: KeyAlgorithmInput;\n\t/**\n\t * Existing key pair to reuse for both subject and issuer.\n\t *\n\t * When omitted, a new key pair is generated.\n\t */\n\treadonly keyPair?: KeyPairMaterial;\n\t/**\n\t * Validity window configuration.\n\t */\n\treadonly validity?: ValidityInput;\n\t/**\n\t * DER integer bytes for the certificate serial number.\n\t */\n\treadonly serialNumber?: Uint8Array;\n\t/**\n\t * X.509 extensions to encode into the certificate.\n\t */\n\treadonly extensions?: CertificateExtensionsInput;\n\t/**\n\t * Signature algorithm override.\n\t */\n\treadonly signature?: SignatureProfileInput;\n}\n\n/**\n * Encoded certificate material in common interchange formats.\n */\nexport interface CertificateMaterial {\n\t/**\n\t * DER-encoded certificate bytes.\n\t */\n\treadonly der: Uint8Array;\n\t/**\n\t * PEM-encoded certificate.\n\t */\n\treadonly pem: string;\n\t/**\n\t * Base64 encoding of {@linkcode der} without PEM armor.\n\t */\n\treadonly base64: string;\n}\n\n/**\n * Result returned by {@linkcode createSelfSignedCertificate}.\n */\nexport interface SelfSignedCertificateResult {\n\t/**\n\t * Encoded certificate outputs.\n\t */\n\treadonly certificate: CertificateMaterial;\n\t/**\n\t * Key pair used to issue the certificate.\n\t */\n\treadonly keyPair: KeyPairMaterial;\n}\n\n/**\n * Create a self-signed certificate.\n *\n * Reuses `input.keyPair` when provided; otherwise generates a new key pair from\n * `input.algorithm`. The returned certificate uses `input.subject` as both\n * issuer and subject.\n *\n * @example\n * ```ts\n * const { certificate, keyPair } = await createSelfSignedCertificate({\n * \tsubject: { commonName: 'example.com' },\n * \talgorithm: { kind: 'ecdsa', curve: 'P-256' },\n * });\n * ```\n *\n * @param input Certificate subject, key, validity, and extension settings.\n * @returns The certificate plus the key pair used to sign it.\n */\nexport async function createSelfSignedCertificate(\n\tinput: CreateSelfSignedCertificateInput,\n): Promise<SelfSignedCertificateResult> {\n\tconst keyPair = input.keyPair ?? (await generateKeyPair(input.algorithm));\n\tconst certificateInput = {\n\t\tissuer: input.subject,\n\t\tsubject: input.subject,\n\t\tpublicKey: keyPair.publicKey,\n\t\tsignerPrivateKey: keyPair.privateKey,\n\t\tissuerPublicKey: keyPair.publicKey,\n\t\t...(input.validity !== undefined ? { validity: input.validity } : {}),\n\t\t...(input.serialNumber !== undefined ? { serialNumber: input.serialNumber } : {}),\n\t\t...(input.extensions !== undefined ? { extensions: input.extensions } : {}),\n\t\t...(input.signature !== undefined ? { signature: input.signature } : {}),\n\t} satisfies CreateCertificateInput;\n\tconst certificate = await createCertificate(certificateInput);\n\n\treturn { certificate, keyPair };\n}\n\n/**\n * Create an X.509 certificate signed by `input.signerPrivateKey`.\n *\n * The certificate encodes `input.subject`, `input.publicKey`, and any supplied\n * extensions. When `serialNumber` is omitted, a random positive serial number is\n * generated. When `validity` is omitted, the certificate is valid from now for\n * 30 days.\n *\n * @example\n * ```ts\n * const certificate = await createCertificate({\n * \tissuer: { commonName: 'Example Root CA' },\n * \tsubject: { commonName: 'example.com' },\n * \tpublicKey: leafKeys.publicKey,\n * \tsignerPrivateKey: issuerKeys.privateKey,\n * \tissuerPublicKey: issuerKeys.publicKey,\n * });\n * ```\n *\n * @param input Issuer, subject, key, validity, and extension settings.\n * @returns The encoded certificate material.\n */\nexport async function createCertificate(\n\tinput: CreateCertificateInput,\n): Promise<CertificateMaterial> {\n\tconst subjectPublicKeyInfo = await exportSpkiDer(input.publicKey);\n\tconst issuerPublicKeyInfo = input.issuerPublicKey\n\t\t? await exportSpkiDer(input.issuerPublicKey)\n\t\t: undefined;\n\tconst signatureAlgorithm = getSignatureAlgorithm(input.signerPrivateKey, input.signature);\n\tconst validity = resolveValidity(input.validity);\n\tconst subjectIsEmpty = isNameInputEmpty(input.subject);\n\tconst extensions = buildCertificateExtensions(\n\t\tsubjectPublicKeyInfo,\n\t\tissuerPublicKeyInfo,\n\t\tinput.extensions,\n\t\tsubjectIsEmpty,\n\t);\n\tconst tbsCertificate = sequence([\n\t\texplicitContext(0, integerFromNumber(2)),\n\t\tinteger(input.serialNumber ?? randomSerialNumber()),\n\t\tencodeAlgorithmIdentifier(signatureAlgorithm),\n\t\tencodeName(input.issuer),\n\t\tsequence([time(validity.notBefore), time(validity.notAfter)]),\n\t\tencodeName(input.subject),\n\t\tsubjectPublicKeyInfo,\n\t\texplicitContext(3, sequence(extensions)),\n\t]);\n\n\tconst signatureValue = await signBytes(\n\t\tinput.signerPrivateKey,\n\t\tsignatureAlgorithm,\n\t\ttbsCertificate,\n\t);\n\tconst certificateDer = sequence([\n\t\ttbsCertificate,\n\t\tencodeAlgorithmIdentifier(signatureAlgorithm),\n\t\tbitString(signatureValue),\n\t]);\n\n\treturn materializeCertificate(certificateDer);\n}\n\n/**\n * Convert DER bytes into all exported certificate encodings.\n *\n * @param der DER-encoded certificate bytes.\n * @returns DER, PEM, and base64 views of the same certificate.\n */\nfunction materializeCertificate(der: Uint8Array): CertificateMaterial {\n\treturn {\n\t\tder,\n\t\tpem: pemEncode('CERTIFICATE', der),\n\t\tbase64: base64Encode(der),\n\t};\n}\n\n/**\n * Normalized validity window used during certificate creation.\n */\ninterface ResolvedValidity {\n\t/**\n\t * Start of the validity window.\n\t */\n\treadonly notBefore: Date;\n\t/**\n\t * End of the validity window.\n\t */\n\treadonly notAfter: Date;\n}\n\n/**\n * Resolve defaults for a certificate validity window.\n *\n * @param input Optional validity settings.\n * @returns A concrete `notBefore` and `notAfter` pair.\n */\nfunction resolveValidity(input: ValidityInput | undefined): ResolvedValidity {\n\tconst notBefore = input?.notBefore ?? new Date();\n\tconst notAfter = input?.notAfter ?? addDays(notBefore, input?.days ?? 30);\n\tif (notAfter.getTime() <= notBefore.getTime()) {\n\t\tthrow new Error('notAfter must be after notBefore');\n\t}\n\treturn { notBefore, notAfter };\n}\n\n/**\n * Return a new date offset by a whole number of UTC days.\n *\n * @param date Base date.\n * @param days Number of days to add.\n * @returns The shifted date.\n */\nfunction addDays(date: Date, days: number): Date {\n\tconst out = new Date(date.getTime());\n\tout.setUTCDate(out.getUTCDate() + days);\n\treturn out;\n}\n\n/**\n * Generate a random positive serial number suitable for certificate issuance.\n *\n * @returns A 16-byte positive serial number.\n */\nfunction randomSerialNumber(): Uint8Array {\n\tconst serial = getCrypto().getRandomValues(new Uint8Array(16));\n\tconst first = serial[0] ?? 0;\n\tserial[0] = first & 0x7f;\n\tif ((serial[0] ?? 0) === 0) {\n\t\tserial[0] = 1;\n\t}\n\treturn serial;\n}\n"],"mappings":"0lBAyMA,eAAsB,EACrB,EACuC,CACvC,IAAM,EAAU,EAAM,SAAY,MAAM,EAAgB,EAAM,SAAS,EAcvE,MAAO,CAAE,YAAA,MAFiB,EAAkB,CAV3C,OAAQ,EAAM,QACd,QAAS,EAAM,QACf,UAAW,EAAQ,UACnB,iBAAkB,EAAQ,WAC1B,gBAAiB,EAAQ,UACzB,GAAI,EAAM,WAAa,IAAA,GAA2C,CAAC,EAAhC,CAAE,SAAU,EAAM,QAAS,EAC9D,GAAI,EAAM,eAAiB,IAAA,GAAmD,CAAC,EAAxC,CAAE,aAAc,EAAM,YAAa,EAC1E,GAAI,EAAM,aAAe,IAAA,GAA+C,CAAC,EAApC,CAAE,WAAY,EAAM,UAAW,EACpE,GAAI,EAAM,YAAc,IAAA,GAA6C,CAAC,EAAlC,CAAE,UAAW,EAAM,SAAU,CAEP,CAAC,EAEtC,SAAQ,CAC/B,CAwBA,eAAsB,EACrB,EAC+B,CAC/B,IAAM,EAAuB,MAAM,EAAc,EAAM,SAAS,EAC1D,EAAsB,EAAM,gBAC/B,MAAM,EAAc,EAAM,eAAe,EACzC,IAAA,GACG,EAAqB,EAAsB,EAAM,iBAAkB,EAAM,SAAS,EAClF,EAAW,EAAgB,EAAM,QAAQ,EACzC,EAAiB,EAAiB,EAAM,OAAO,EAC/C,EAAa,EAClB,EACA,EACA,EAAM,WACN,CACD,EACM,EAAiB,EAAS,CAC/B,EAAgB,EAAG,EAAkB,CAAC,CAAC,EACvC,EAAQ,EAAM,cAAgB,EAAmB,CAAC,EAClD,EAA0B,CAAkB,EAC5C,EAAW,EAAM,MAAM,EACvB,EAAS,CAAC,EAAK,EAAS,SAAS,EAAG,EAAK,EAAS,QAAQ,CAAC,CAAC,EAC5D,EAAW,EAAM,OAAO,EACxB,EACA,EAAgB,EAAG,EAAS,CAAU,CAAC,CACxC,CAAC,EAEK,EAAiB,MAAM,EAC5B,EAAM,iBACN,EACA,CACD,EAOA,OAAO,EANgB,EAAS,CAC/B,EACA,EAA0B,CAAkB,EAC5C,EAAU,CAAc,CACzB,CAE2C,CAAC,CAC7C,CAQA,SAAS,EAAuB,EAAsC,CACrE,MAAO,CACN,MACA,IAAK,EAAU,cAAe,CAAG,EACjC,OAAQ,EAAa,CAAG,CACzB,CACD,CAsBA,SAAS,EAAgB,EAAoD,CAC5E,IAAM,EAAY,GAAO,WAAa,IAAI,KACpC,EAAW,GAAO,UAAY,EAAQ,EAAW,GAAO,MAAQ,EAAE,EACxE,GAAI,EAAS,QAAQ,GAAK,EAAU,QAAQ,EAC3C,MAAU,MAAM,kCAAkC,EAEnD,MAAO,CAAE,YAAW,UAAS,CAC9B,CASA,SAAS,EAAQ,EAAY,EAAoB,CAChD,IAAM,EAAM,IAAI,KAAK,EAAK,QAAQ,CAAC,EAEnC,OADA,EAAI,WAAW,EAAI,WAAW,EAAI,CAAI,EAC/B,CACR,CAOA,SAAS,GAAiC,CACzC,IAAM,EAAS,EAAU,CAAC,CAAC,gBAAgB,IAAI,WAAW,EAAE,CAAC,EAM7D,MAJA,GAAO,IADO,EAAO,IAAM,GACP,KACf,EAAO,IAAM,KAAO,IACxB,EAAO,GAAK,GAEN,CACR"}

package/dist/x509/csr.d.ts

@@ -0,0 +1,55 @@
+import { NameAttribute, NameFieldKey, NameInput, NameObject, RelativeDistinguishedNameInput, encodeName, encodeRelativeDistinguishedName } from "./name.js";
+import { AuthorityInfoAccessMethod, AuthorityInformationAccess, BasicConstraints, CertificateExtensionsInput, CertificatePolicies, CpsPolicyQualifierInfo, CustomAuthorityInfoAccessMethod, CustomExtendedKeyUsage, CustomExtension, CustomPolicyQualifierInfo, DistributionPoint, DistributionPointName, DistributionPointReason, ExtendedKeyUsage, GeneralName, GeneralSubtree, InhibitAnyPolicy, IssuingDistributionPoint, IssuingDistributionPointBase, IssuingDistributionPointForAttributeCerts, IssuingDistributionPointForCaCerts, IssuingDistributionPointForUserCerts, KeyUsage, KnownAuthorityInfoAccessMethod, KnownExtendedKeyUsage, NameConstraintForm, NameConstraints, ParsedNameConstraintForm, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyNoticeReference, PolicyQualifierInfo, SubjectAltName, UnsupportedNameConstraintForm, UserNoticePolicyQualifierInfo, buildCertificateExtensions, buildRequestedExtensions, encodeAuthorityInfoAccess, encodeBasicConstraints, encodeCertificatePolicies, encodeCrlDistributionPoints, encodeExtendedKeyUsage, encodeExtension, encodeInhibitAnyPolicy, encodeKeyUsage, encodeNameConstraints, encodePolicyConstraints, encodePolicyMappings, encodeSubjectAltName, getAuthorityInfoAccessMethodOid, getExtendedKeyUsageOid, parseAuthorityInfoAccessMethodOid, parseExtendedKeyUsageOid } from "./extensions.js";
+import { SignatureProfileInput } from "../internal/crypto/signing.js";
+
+//#region src/x509/csr.d.ts
+/** Input for {@linkcode createCertificateSigningRequest}. */
+interface CreateCsrInput {
+  /** Distinguished name for the CSR subject (e.g. `{ commonName: 'example.com' }`). */
+  readonly subject: NameInput;
+  /** WebCrypto public key to embed in the CSR's SubjectPublicKeyInfo. */
+  readonly publicKey: CryptoKey;
+  /** WebCrypto private key used to self-sign the CSR (proves key possession). */
+  readonly signerPrivateKey: CryptoKey;
+  /** Requested X.509v3 extensions to include in the CSR attributes. */
+  readonly extensions?: CertificateExtensionsInput;
+  /** Override the signature algorithm profile (hash, salt length, etc.). */
+  readonly signature?: SignatureProfileInput;
+}
+/** DER, PEM, and base64 encodings of a CSR produced by {@linkcode createCertificateSigningRequest}. */
+interface CsrMaterial {
+  /** Raw DER-encoded PKCS#10 CertificationRequest. */
+  readonly der: Uint8Array;
+  /** PEM-armored CSR (`-----BEGIN CERTIFICATE REQUEST-----`). */
+  readonly pem: string;
+  /** Base64-encoded DER (no PEM armor). */
+  readonly base64: string;
+}
+/**
+* Creates a PKCS#10 Certificate Signing Request signed with the given private key.
+*
+* The CSR embeds the public key's SPKI, the subject name, and any requested extensions
+* as attributes. The signature proves possession of the private key.
+*
+* @example
+* ```ts
+* import { createCertificateSigningRequest } from 'micro509';
+*
+* const keyPair = await crypto.subtle.generateKey(
+*   { name: 'ECDSA', namedCurve: 'P-256' },
+*   true,
+*   ['sign', 'verify'],
+* );
+* const csr = await createCertificateSigningRequest({
+*   subject: { commonName: 'example.com' },
+*   publicKey: keyPair.publicKey,
+*   signerPrivateKey: keyPair.privateKey,
+*   extensions: { subjectAltNames: [{ type: 'dns', value: 'example.com' }] },
+* });
+* console.log(csr.pem);
+* ```
+*/
+declare function createCertificateSigningRequest(input: CreateCsrInput): Promise<CsrMaterial>;
+//#endregion
+export { type AuthorityInfoAccessMethod, type AuthorityInformationAccess, type BasicConstraints, type CertificateExtensionsInput, type CertificatePolicies, type CpsPolicyQualifierInfo, CreateCsrInput, CsrMaterial, type CustomAuthorityInfoAccessMethod, type CustomExtendedKeyUsage, type CustomExtension, type CustomPolicyQualifierInfo, type DistributionPoint, type DistributionPointName, type DistributionPointReason, type ExtendedKeyUsage, type GeneralName, type GeneralSubtree, type InhibitAnyPolicy, type IssuingDistributionPoint, type IssuingDistributionPointBase, type IssuingDistributionPointForAttributeCerts, type IssuingDistributionPointForCaCerts, type IssuingDistributionPointForUserCerts, type KeyUsage, type KnownAuthorityInfoAccessMethod, type KnownExtendedKeyUsage, type NameConstraintForm, type NameConstraints, type NameInput, type NameObject, type ParsedNameConstraintForm, type PolicyConstraints, type PolicyInformation, type PolicyMapping, type PolicyMappings, type PolicyNoticeReference, type PolicyQualifierInfo, type SubjectAltName, type UnsupportedNameConstraintForm, type UserNoticePolicyQualifierInfo, type buildCertificateExtensions, type buildRequestedExtensions, createCertificateSigningRequest, type encodeAuthorityInfoAccess, type encodeBasicConstraints, type encodeCertificatePolicies, type encodeCrlDistributionPoints, type encodeExtendedKeyUsage, type encodeExtension, type encodeInhibitAnyPolicy, type encodeKeyUsage, type encodeName, type encodeNameConstraints, type encodePolicyConstraints, type encodePolicyMappings, type encodeRelativeDistinguishedName, type encodeSubjectAltName, type getAuthorityInfoAccessMethodOid, type getExtendedKeyUsageOid, type parseAuthorityInfoAccessMethodOid, type parseExtendedKeyUsageOid };
+//# sourceMappingURL=csr.d.ts.map

package/dist/x509/csr.js

@@ -0,0 +1,2 @@
+import{bitString as e,concatBytes as t,implicitConstructedContext as n,integerFromNumber as r,objectIdentifier as i,sequence as a,setOf as o}from"../internal/asn1/der.js";import{OIDS as s}from"../internal/asn1/oids.js";import{base64Encode as c}from"../internal/shared/base64.js";import{pemEncode as l}from"../pem/pem.js";import{exportSpkiDer as u}from"../keys/keys.js";import{encodeName as d}from"./name.js";import{buildRequestedExtensions as f}from"./extensions.js";import{encodeAlgorithmIdentifier as p,getSignatureAlgorithm as m,signBytes as h}from"../internal/crypto/signing.js";async function g(i){let o=m(i.signerPrivateKey,i.signature),s=await u(i.publicKey),f=_(i.extensions),g=a([r(0),d(i.subject),s,n(0,t(f))]),v=await h(i.signerPrivateKey,o,g),y=a([g,p(o),e(v)]);return{der:y,pem:l(`CERTIFICATE REQUEST`,y),base64:c(y)}}function _(e){let t=f(e);return t.length===0?[]:[a([i(s.extensionRequest),o([a(t)])])]}export{g as createCertificateSigningRequest};
+//# sourceMappingURL=csr.js.map

package/dist/x509/csr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csr.js","names":[],"sources":["../../src/x509/csr.ts"],"sourcesContent":["/**\n * PKCS#10 Certificate Signing Request (CSR) creation.\n *\n * Builds a CSR from a subject name, WebCrypto key pair, and optional extensions,\n * producing DER, PEM, and base64 outputs.\n *\n * @module\n */\n\nimport {\n\tbitString,\n\tconcatBytes,\n\timplicitConstructedContext,\n\tintegerFromNumber,\n\tobjectIdentifier,\n\tsequence,\n\tsetOf,\n} from '#micro509/internal/asn1/der.ts';\nimport { OIDS } from '#micro509/internal/asn1/oids.ts';\nimport {\n\tencodeAlgorithmIdentifier,\n\tgetSignatureAlgorithm,\n\ttype SignatureProfileInput,\n\tsignBytes,\n} from '#micro509/internal/crypto/signing.ts';\nimport { base64Encode } from '#micro509/internal/shared/base64.ts';\nimport { exportSpkiDer } from '#micro509/keys/keys.ts';\nimport { pemEncode } from '#micro509/pem/pem.ts';\nimport { buildRequestedExtensions, type CertificateExtensionsInput } from './extensions.ts';\nimport { encodeName, type NameInput } from './name.ts';\n\nexport type * from './extensions.ts';\nexport type * from './name.ts';\n\n/** Input for {@linkcode createCertificateSigningRequest}. */\nexport interface CreateCsrInput {\n\t/** Distinguished name for the CSR subject (e.g. `{ commonName: 'example.com' }`). */\n\treadonly subject: NameInput;\n\t/** WebCrypto public key to embed in the CSR's SubjectPublicKeyInfo. */\n\treadonly publicKey: CryptoKey;\n\t/** WebCrypto private key used to self-sign the CSR (proves key possession). */\n\treadonly signerPrivateKey: CryptoKey;\n\t/** Requested X.509v3 extensions to include in the CSR attributes. */\n\treadonly extensions?: CertificateExtensionsInput;\n\t/** Override the signature algorithm profile (hash, salt length, etc.). */\n\treadonly signature?: SignatureProfileInput;\n}\n\n/** DER, PEM, and base64 encodings of a CSR produced by {@linkcode createCertificateSigningRequest}. */\nexport interface CsrMaterial {\n\t/** Raw DER-encoded PKCS#10 CertificationRequest. */\n\treadonly der: Uint8Array;\n\t/** PEM-armored CSR (`-----BEGIN CERTIFICATE REQUEST-----`). */\n\treadonly pem: string;\n\t/** Base64-encoded DER (no PEM armor). */\n\treadonly base64: string;\n}\n\n/**\n * Creates a PKCS#10 Certificate Signing Request signed with the given private key.\n *\n * The CSR embeds the public key's SPKI, the subject name, and any requested extensions\n * as attributes. The signature proves possession of the private key.\n *\n * @example\n * ```ts\n * import { createCertificateSigningRequest } from 'micro509';\n *\n * const keyPair = await crypto.subtle.generateKey(\n *   { name: 'ECDSA', namedCurve: 'P-256' },\n *   true,\n *   ['sign', 'verify'],\n * );\n * const csr = await createCertificateSigningRequest({\n *   subject: { commonName: 'example.com' },\n *   publicKey: keyPair.publicKey,\n *   signerPrivateKey: keyPair.privateKey,\n *   extensions: { subjectAltNames: [{ type: 'dns', value: 'example.com' }] },\n * });\n * console.log(csr.pem);\n * ```\n */\nexport async function createCertificateSigningRequest(input: CreateCsrInput): Promise<CsrMaterial> {\n\tconst signatureAlgorithm = getSignatureAlgorithm(input.signerPrivateKey, input.signature);\n\tconst spki = await exportSpkiDer(input.publicKey);\n\tconst attributes = buildAttributes(input.extensions);\n\tconst certificationRequestInfo = sequence([\n\t\tintegerFromNumber(0),\n\t\tencodeName(input.subject),\n\t\tspki,\n\t\timplicitConstructedContext(0, concatBytes(attributes)),\n\t]);\n\tconst normalizedSignature = await signBytes(\n\t\tinput.signerPrivateKey,\n\t\tsignatureAlgorithm,\n\t\tcertificationRequestInfo,\n\t);\n\n\tconst der = sequence([\n\t\tcertificationRequestInfo,\n\t\tencodeAlgorithmIdentifier(signatureAlgorithm),\n\t\tbitString(normalizedSignature),\n\t]);\n\treturn {\n\t\tder,\n\t\tpem: pemEncode('CERTIFICATE REQUEST', der),\n\t\tbase64: base64Encode(der),\n\t};\n}\n\n/** Encodes extensions into a CSR extensionRequest attribute, or returns empty. */\nfunction buildAttributes(extensions: CertificateExtensionsInput | undefined): Uint8Array[] {\n\tconst builtExtensions = buildRequestedExtensions(extensions);\n\tif (builtExtensions.length === 0) {\n\t\treturn [];\n\t}\n\treturn [sequence([objectIdentifier(OIDS.extensionRequest), setOf([sequence(builtExtensions)])])];\n}\n"],"mappings":"ukBAkFA,eAAsB,EAAgC,EAA6C,CAClG,IAAM,EAAqB,EAAsB,EAAM,iBAAkB,EAAM,SAAS,EAClF,EAAO,MAAM,EAAc,EAAM,SAAS,EAC1C,EAAa,EAAgB,EAAM,UAAU,EAC7C,EAA2B,EAAS,CACzC,EAAkB,CAAC,EACnB,EAAW,EAAM,OAAO,EACxB,EACA,EAA2B,EAAG,EAAY,CAAU,CAAC,CACtD,CAAC,EACK,EAAsB,MAAM,EACjC,EAAM,iBACN,EACA,CACD,EAEM,EAAM,EAAS,CACpB,EACA,EAA0B,CAAkB,EAC5C,EAAU,CAAmB,CAC9B,CAAC,EACD,MAAO,CACN,MACA,IAAK,EAAU,sBAAuB,CAAG,EACzC,OAAQ,EAAa,CAAG,CACzB,CACD,CAGA,SAAS,EAAgB,EAAkE,CAC1F,IAAM,EAAkB,EAAyB,CAAU,EAI3D,OAHI,EAAgB,SAAW,EACvB,CAAC,EAEF,CAAC,EAAS,CAAC,EAAiB,EAAK,gBAAgB,EAAG,EAAM,CAAC,EAAS,CAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAChG"}