micro509 0.1.0

package/dist/x509/extensions.d.ts

@@ -0,0 +1,550 @@
+import { NameAttribute, NameFieldKey, RelativeDistinguishedNameInput } from "./name.js";
+
+//#region src/x509/extensions.d.ts
+/**
+* RFC 5280 §4.2.1.3 Key Usage bit flag.
+*
+* Each value corresponds to one bit in the KeyUsage BIT STRING.
+*
+* @see {@link https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 RFC 5280 §4.2.1.3}
+*/
+type KeyUsage = "digitalSignature" | "nonRepudiation" | "keyEncipherment" | "dataEncipherment" | "keyAgreement" | "keyCertSign" | "cRLSign" | "encipherOnly" | "decipherOnly";
+/**
+* RFC 5280 §4.2.1.6 Subject Alternative Name / GeneralName.
+*
+* Discriminated union keyed on `type`.
+*
+* The `'unknown'` variant preserves unrecognized {@linkcode GeneralName} tags for round-trip fidelity.
+*/
+type SubjectAltName = {
+  /** DNS hostname (dNSName [2]). */readonly type: "dns"; /** Fully-qualified domain name, e.g. `"example.com"`. */
+  readonly value: string;
+} | {
+  /** IP address (iPAddress [7]). */readonly type: "ip"; /** Dotted-decimal IPv4 or colon-hex IPv6 string. */
+  readonly value: string;
+} | {
+  /** Email address (rfc822Name [1]). */readonly type: "email"; /** RFC 822 mailbox, e.g. `"admin@example.com"`. */
+  readonly value: string;
+} | {
+  /** URI (uniformResourceIdentifier [6]). */readonly type: "uri"; /** Absolute URI string. */
+  readonly value: string;
+} | {
+  /** SRV-ID otherName (id-on-dnsSRV). */readonly type: "srv"; /** SRV service name, e.g. `"_imaps.example.com"`. */
+  readonly value: string;
+} | {
+  /** X.500 directory name (directoryName [4]). */readonly type: "directoryName"; /** Hex-encoded DER of the Name SEQUENCE. */
+  readonly derHex: string;
+} | {
+  /** Unrecognized {@linkcode GeneralName} tag, preserved as raw bytes. */readonly type: "unknown"; /** ASN.1 context tag number. */
+  readonly tag: number; /** Raw content bytes of the element. */
+  readonly value: Uint8Array;
+};
+/** Alias for {@linkcode SubjectAltName} — used where RFC 5280 says "GeneralName". */
+type GeneralName = SubjectAltName;
+/**
+* Revocation reason flags for CRL Distribution Points and Issuing Distribution Points
+* (RFC 5280 §4.2.1.13, §5.2.5).
+*/
+type DistributionPointReason = "keyCompromise" | "cACompromise" | "affiliationChanged" | "superseded" | "cessationOfOperation" | "certificateHold" | "privilegeWithdrawn" | "aACompromise";
+/**
+* Name component of a CRL Distribution Point (RFC 5280 §4.2.1.13).
+*
+* Supply exactly one of `fullName` or `relativeName`.
+*/
+interface DistributionPointName {
+  /** Absolute {@linkcode GeneralName}(s) identifying the distribution point (usually a URI). */
+  readonly fullName?: readonly GeneralName[];
+  /** Name relative to the issuer's DN; mutually exclusive with `fullName`. */
+  readonly relativeName?: RelativeDistinguishedNameInput;
+}
+/**
+* Input for a single CRL Distribution Point (RFC 5280 §4.2.1.13).
+*
+* At least one of `distributionPoint` or `crlIssuer` must be provided.
+* The union enforces this constraint at the type level.
+*/
+type DistributionPoint = {
+  /** Where to fetch the CRL (fullName or relativeName). */readonly distributionPoint: DistributionPointName; /** Revocation reason subset. Absent means all reasons. */
+  readonly reasons?: readonly DistributionPointReason[]; /** Entity that signed the CRL, when different from the cert issuer. */
+  readonly crlIssuer?: readonly GeneralName[];
+} | {
+  /** Where to fetch the CRL. Optional when `crlIssuer` is present. */readonly distributionPoint?: DistributionPointName; /** Revocation reason subset. Absent means all reasons. */
+  readonly reasons?: readonly DistributionPointReason[]; /** Entity that signed the CRL. Required when `distributionPoint` is absent. */
+  readonly crlIssuer: readonly GeneralName[];
+};
+/** Base shape for Issuing Distribution Point (RFC 5280 §5.2.5) — no scope restriction. */
+interface IssuingDistributionPointBase {
+  /** Where to fetch this CRL. */
+  readonly distributionPoint?: DistributionPointName;
+  /** Limits the CRL to these revocation reasons. Absent means all reasons. */
+  readonly onlySomeReasons?: readonly DistributionPointReason[];
+  /** When true, the CRL may contain entries from other CAs. Default false. */
+  readonly indirectCrl?: boolean;
+  /** Must be absent or false in this variant (no user-cert-only restriction). */
+  readonly onlyContainsUserCerts?: false;
+  /** Must be absent or false in this variant (no CA-cert-only restriction). */
+  readonly onlyContainsCACerts?: false;
+  /** When true, the CRL only covers attribute certificates. Default false. */
+  readonly onlyContainsAttributeCerts?: boolean;
+}
+/** IDP scoped to end-entity (user) certificates only. Mutually exclusive with CA / attribute scopes. */
+interface IssuingDistributionPointForUserCerts extends Omit<IssuingDistributionPointBase, "onlyContainsUserCerts"> {
+  /** This variant only covers end-entity certificates. */
+  readonly onlyContainsUserCerts: true;
+  /** Must be absent or false when the CRL is not CA-only. */
+  readonly onlyContainsCACerts?: false;
+  /** Must be absent or false when the CRL is not attribute-cert-only. */
+  readonly onlyContainsAttributeCerts?: false;
+}
+/** IDP scoped to CA certificates only. Mutually exclusive with user / attribute scopes. */
+interface IssuingDistributionPointForCaCerts extends Omit<IssuingDistributionPointBase, "onlyContainsCACerts"> {
+  /** Must be absent or false when the CRL is not user-cert-only. */
+  readonly onlyContainsUserCerts?: false;
+  /** This variant only covers CA certificates. */
+  readonly onlyContainsCACerts: true;
+  /** Must be absent or false when the CRL is not attribute-cert-only. */
+  readonly onlyContainsAttributeCerts?: false;
+}
+/** IDP scoped to attribute certificates only. Mutually exclusive with user / CA scopes. */
+interface IssuingDistributionPointForAttributeCerts extends Omit<IssuingDistributionPointBase, "onlyContainsAttributeCerts"> {
+  /** Must be absent or false when the CRL is not user-cert-only. */
+  readonly onlyContainsUserCerts?: false;
+  /** Must be absent or false when the CRL is not CA-only. */
+  readonly onlyContainsCACerts?: false;
+  /** This variant only covers attribute certificates. */
+  readonly onlyContainsAttributeCerts: true;
+}
+/**
+* Input for the Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).
+*
+* The union enforces that at most one of the `onlyContains*` flags is true.
+*/
+type IssuingDistributionPoint = IssuingDistributionPointBase | IssuingDistributionPointForUserCerts | IssuingDistributionPointForCaCerts | IssuingDistributionPointForAttributeCerts;
+/**
+* RFC 5280 §4.2.1.9 Basic Constraints.
+*
+* A certificate with `ca: true` may issue other certificates; `pathLength`
+* limits how many additional CAs may appear below it in the chain.
+*/
+interface BasicConstraints {
+  /** Whether this certificate belongs to a CA. End-entity certs set this to `false`. */
+  readonly ca: boolean;
+  /** Maximum number of intermediate CA certificates allowed below this CA. Only valid when `ca` is `true`. */
+  readonly pathLength?: number;
+}
+/** A single certificate policy: an OID plus optional qualifiers. */
+interface PolicyInformation {
+  /** Dotted-decimal OID of the policy (e.g. `"2.23.140.1.2.1"` for DV). */
+  readonly policyIdentifier: string;
+  /** Optional CPS URIs or user notices attached to this policy. */
+  readonly policyQualifiers?: readonly PolicyQualifierInfo[];
+}
+/** RFC 5280 §4.2.1.4 — array of policy OIDs with optional qualifiers. */
+type CertificatePolicies = readonly {
+  /** Dotted-decimal OID of the policy (e.g. `"2.23.140.1.2.1"` for DV). */readonly policyIdentifier: string; /** Optional CPS URIs or user notices attached to this policy. */
+  readonly policyQualifiers?: readonly ({
+    readonly type: "cps";
+    readonly uri: string;
+  } | {
+    readonly type: "userNotice";
+    readonly noticeRef?: {
+      readonly organization: string;
+      readonly noticeNumbers: readonly number[];
+    };
+    readonly explicitText?: string;
+  } | {
+    readonly type: "oid";
+    readonly oid: string;
+    readonly qualifierDer: Uint8Array;
+  })[];
+}[];
+/** CPS (Certification Practice Statement) URI policy qualifier. */
+interface CpsPolicyQualifierInfo {
+  /** Discriminant for the `'cps'` qualifier variant. */
+  readonly type: "cps";
+  /** URL of the Certification Practice Statement document. */
+  readonly uri: string;
+}
+/** Reference to a numbered notice within an organization's practice statement. */
+interface PolicyNoticeReference {
+  /** Organization name that published the notice. */
+  readonly organization: string;
+  /** One-based notice numbers within that organization's documentation. */
+  readonly noticeNumbers: readonly number[];
+}
+/** UserNotice policy qualifier — human-readable notice text and/or a notice reference. */
+interface UserNoticePolicyQualifierInfo {
+  /** Discriminant for the `'userNotice'` qualifier variant. */
+  readonly type: "userNotice";
+  /** Pointer to a numbered notice in an organization's practice statement. */
+  readonly noticeRef?: PolicyNoticeReference;
+  /** Free-form text to display to relying parties. */
+  readonly explicitText?: string;
+}
+/** Opaque policy qualifier identified by a custom OID, carried as raw DER. */
+interface CustomPolicyQualifierInfo {
+  /** Discriminant for the custom-OID qualifier variant. */
+  readonly type: "oid";
+  /** Dotted-decimal OID of the qualifier. */
+  readonly oid: string;
+  /** DER-encoded qualifier payload. */
+  readonly qualifierDer: Uint8Array;
+}
+/** Discriminated union of all supported policy qualifier types. */
+type PolicyQualifierInfo = CpsPolicyQualifierInfo | UserNoticePolicyQualifierInfo | CustomPolicyQualifierInfo;
+/** Maps a policy OID in the issuer's domain to an equivalent OID in the subject's domain. */
+interface PolicyMapping {
+  /** Policy OID as defined by the issuing CA. Must not be anyPolicy. */
+  readonly issuerDomainPolicy: string;
+  /** Equivalent policy OID in the subject CA's domain. Must not be anyPolicy. */
+  readonly subjectDomainPolicy: string;
+}
+/** RFC 5280 §4.2.1.5 — array of issuer-to-subject policy OID pairs. */
+type PolicyMappings = readonly {
+  /** Policy OID as defined by the issuing CA. Must not be anyPolicy. */readonly issuerDomainPolicy: string; /** Equivalent policy OID in the subject CA's domain. Must not be anyPolicy. */
+  readonly subjectDomainPolicy: string;
+}[];
+/**
+* RFC 5280 §4.2.1.11 Policy Constraints.
+*
+* At least one field must be present. Values are certificate-count
+* thresholds measured from the current certificate toward the end entity.
+*/
+interface PolicyConstraints {
+  /** After this many certificates, an acceptable policy must be in the path. */
+  readonly requireExplicitPolicy?: number;
+  /** After this many certificates, policy mapping is no longer allowed. */
+  readonly inhibitPolicyMapping?: number;
+}
+/**
+* RFC 5280 §4.2.1.14 Inhibit anyPolicy.
+*
+* After `skipCerts` additional certificates in the path, the special
+* anyPolicy OID is no longer considered a match.
+*/
+interface InhibitAnyPolicy {
+  /** Number of additional certificates before anyPolicy stops being valid. */
+  readonly skipCerts: number;
+}
+/**
+* Input for `createCertificate`, `createSelfSignedCertificate`,
+* and `createCertificateSigningRequest`.
+*
+* Every field is optional. Omitted extensions are not encoded. Built-in
+* extensions (SKI, AKI, basicConstraints defaults) are handled automatically
+* by the builder.
+*/
+interface CertificateExtensionsInput {
+  /** Subject Alternative Names (dns, ip, email, uri, srv, directoryName). */
+  readonly subjectAltNames?: readonly SubjectAltName[];
+  /** Key Usage flags (digitalSignature, keyCertSign, etc.). */
+  readonly keyUsage?: readonly KeyUsage[];
+  /** Basic Constraints (CA flag + optional pathLength). Defaults to `{ ca: false }` for certs. */
+  readonly basicConstraints?: BasicConstraints;
+  /** Extended Key Usage purposes (serverAuth, clientAuth, etc.). */
+  readonly extendedKeyUsage?: readonly ExtendedKeyUsage[];
+  /** Name Constraints — permitted and/or excluded subtrees. */
+  readonly nameConstraints?: NameConstraints;
+  /** Certificate Policies with optional qualifiers. */
+  readonly certificatePolicies?: CertificatePolicies;
+  /** Policy Mappings between issuer and subject policy domains. */
+  readonly policyMappings?: PolicyMappings;
+  /** Policy Constraints (requireExplicitPolicy / inhibitPolicyMapping thresholds). */
+  readonly policyConstraints?: PolicyConstraints;
+  /** Inhibit anyPolicy skip-certs threshold. */
+  readonly inhibitAnyPolicy?: InhibitAnyPolicy;
+  /** Authority Information Access — OCSP responder and CA issuer URIs. */
+  readonly authorityInfoAccess?: readonly AuthorityInformationAccess[];
+  /** CRL Distribution Points — where to check revocation status. */
+  readonly crlDistributionPoints?: readonly DistributionPoint[];
+  /** Arbitrary extensions not covered by the built-in fields. */
+  readonly customExtensions?: readonly CustomExtension[];
+}
+/** An extension not covered by the typed fields in {@linkcode CertificateExtensionsInput}. */
+interface CustomExtension {
+  /** Dotted-decimal OID of the extension. */
+  readonly oid: string;
+  /** Pre-encoded DER content for the extnValue OCTET STRING. */
+  readonly value: Uint8Array;
+  /** Whether the extension is critical. Default `false`. */
+  readonly critical?: boolean;
+}
+/**
+* A name form used as a constraint base in namEConstraints.
+* Distinct from {@linkcode SubjectAltName} because IP constraints carry
+* address + mask bytes (8 for IPv4, 32 for IPv6) rather than bare addresses.
+*/
+type NameConstraintForm = {
+  /** DNS domain constraint (dNSName [2]). */readonly type: "dns"; /** Domain suffix, e.g. `".example.com"` or `"example.com"`. */
+  readonly value: string;
+} | {
+  /** Email constraint (rfc822Name [1]). */readonly type: "email"; /** Email domain or full address pattern. */
+  readonly value: string;
+} | {
+  /** URI constraint (uniformResourceIdentifier [6]). */readonly type: "uri"; /** Host or domain component of a URI. */
+  readonly value: string;
+} | {
+  /** IP range constraint (iPAddress [7]). */readonly type: "ip"; /** Network address bytes (4 for IPv4, 16 for IPv6). */
+  readonly addressBytes: Uint8Array; /** Subnet mask bytes (same length as addressBytes). */
+  readonly maskBytes: Uint8Array;
+} | {
+  /** Directory name constraint (directoryName [4]). */readonly type: "directoryName"; /** Hex-encoded DER of the Name SEQUENCE. */
+  readonly derHex: string;
+};
+/**
+* Name constraint forms parsed from DER but not supported for encoding or
+* validation. Preserved for diagnostic round-tripping.
+*/
+type UnsupportedNameConstraintForm = {
+  /** otherName [0] — raw bytes. */readonly type: "otherName";
+  readonly value: Uint8Array;
+} | {
+  /** x400Address [3] — raw bytes. */readonly type: "x400Address";
+  readonly value: Uint8Array;
+} | {
+  /** ediPartyName [5] — raw bytes. */readonly type: "ediPartyName";
+  readonly value: Uint8Array;
+} | {
+  /** registeredID [8] — decoded OID string. */readonly type: "registeredID";
+  readonly value: string;
+};
+/** Union of supported and unsupported name constraint forms as produced by parsing. */
+type ParsedNameConstraintForm = {
+  readonly type: "dns";
+  readonly value: string;
+} | {
+  readonly type: "email";
+  readonly value: string;
+} | {
+  readonly type: "uri";
+  readonly value: string;
+} | {
+  readonly type: "ip";
+  readonly addressBytes: Uint8Array;
+  readonly maskBytes: Uint8Array;
+} | {
+  readonly type: "directoryName";
+  readonly derHex: string;
+} | {
+  readonly type: "otherName";
+  readonly value: Uint8Array;
+} | {
+  readonly type: "x400Address";
+  readonly value: Uint8Array;
+} | {
+  readonly type: "ediPartyName";
+  readonly value: Uint8Array;
+} | {
+  readonly type: "registeredID";
+  readonly value: string;
+};
+/** A single subtree entry in a Name Constraints permitted/excluded list. */
+interface GeneralSubtree<TForm extends ParsedNameConstraintForm = {
+  readonly type: "dns";
+  readonly value: string;
+} | {
+  readonly type: "email";
+  readonly value: string;
+} | {
+  readonly type: "uri";
+  readonly value: string;
+} | {
+  readonly type: "ip";
+  readonly addressBytes: Uint8Array;
+  readonly maskBytes: Uint8Array;
+} | {
+  readonly type: "directoryName";
+  readonly derHex: string;
+}> {
+  /** The name form that defines this constraint boundary. */
+  readonly base: TForm;
+}
+/**
+* RFC 5280 §4.2.1.10 Name Constraints.
+*
+* A CA certificate may restrict the namespace of all subject names in
+* subsequent certificates in the path.
+*/
+interface NameConstraints<TForm extends ParsedNameConstraintForm = {
+  readonly type: "dns";
+  readonly value: string;
+} | {
+  readonly type: "email";
+  readonly value: string;
+} | {
+  readonly type: "uri";
+  readonly value: string;
+} | {
+  readonly type: "ip";
+  readonly addressBytes: Uint8Array;
+  readonly maskBytes: Uint8Array;
+} | {
+  readonly type: "directoryName";
+  readonly derHex: string;
+}> {
+  /** Names that MUST fall within these subtrees to be valid. */
+  readonly permittedSubtrees?: readonly GeneralSubtree<TForm>[];
+  /** Names that MUST NOT fall within these subtrees. Takes precedence over permitted. */
+  readonly excludedSubtrees?: readonly GeneralSubtree<TForm>[];
+}
+/** Well-known AIA access methods: OCSP responder or CA issuer certificate. */
+type KnownAuthorityInfoAccessMethod = "ocsp" | "caIssuers";
+/** AIA access method identified by a custom OID not in the well-known set. */
+interface CustomAuthorityInfoAccessMethod {
+  /** Discriminant for the custom-OID access method variant. */
+  readonly type: "oid";
+  /** Dotted-decimal OID of the access method. */
+  readonly value: string;
+}
+/** AIA access method — either a well-known string or a custom OID. */
+type AuthorityInfoAccessMethod = KnownAuthorityInfoAccessMethod | CustomAuthorityInfoAccessMethod;
+/** A single entry in the Authority Information Access extension (RFC 5280 §4.2.2.1). */
+interface AuthorityInformationAccess {
+  /** Access method (`'ocsp'`, `'caIssuers'`, or custom OID). */
+  readonly method: "ocsp" | "caIssuers" | {
+    readonly type: "oid";
+    readonly value: string;
+  };
+  /** URI where the resource can be fetched. */
+  readonly uri: string;
+}
+/** Well-known Extended Key Usage purpose strings (RFC 5280 §4.2.1.12). */
+type KnownExtendedKeyUsage = "serverAuth" | "clientAuth" | "codeSigning" | "emailProtection" | "timeStamping" | "ocspSigning";
+/** Extended Key Usage purpose identified by a custom OID. */
+interface CustomExtendedKeyUsage {
+  /** Discriminant for the custom-OID EKU variant. */
+  readonly type: "oid";
+  /** Dotted-decimal OID of the usage purpose. */
+  readonly value: string;
+}
+/** Extended Key Usage — either a well-known purpose string or a custom OID. */
+type ExtendedKeyUsage = "serverAuth" | "clientAuth" | "codeSigning" | "emailProtection" | "timeStamping" | "ocspSigning" | {
+  readonly type: "oid";
+  readonly value: string;
+};
+/**
+* Build the v3 extensions block for a certificate.
+*
+* Automatically adds SKI, AKI (when issuer key is available), and
+* basicConstraints (defaults to `{ ca: false }`). Additional extensions
+* come from the caller's {@linkcode CertificateExtensionsInput}.
+*
+* @param subjectPublicKeyInfo DER-encoded SPKI of the subject.
+* @param issuerPublicKeyInfo DER-encoded SPKI of the issuer, or `undefined` for self-signed.
+* @param input Optional extension configuration.
+* @param subjectIsEmpty Whether the certificate subject DN is empty. When `true`, the
+*   subjectAltName extension is marked critical per RFC 5280 §4.2.1.6.
+* @returns Array of DER-encoded Extension SEQUENCEs.
+*/
+declare function buildCertificateExtensions(subjectPublicKeyInfo: Uint8Array, issuerPublicKeyInfo: Uint8Array | undefined, input: CertificateExtensionsInput | undefined, subjectIsEmpty?: boolean): Uint8Array[];
+/**
+* Build the extensions for a CSR's extensionRequest attribute.
+*
+* Unlike {@linkcode buildCertificateExtensions}, SKI/AKI are not auto-generated.
+*
+* @param input Optional extension configuration.
+* @returns Array of DER-encoded Extension SEQUENCEs.
+*/
+declare function buildRequestedExtensions(input: CertificateExtensionsInput | undefined): Uint8Array[];
+/**
+* Encode a single X.509 Extension SEQUENCE (OID + optional critical BOOLEAN + OCTET STRING).
+*
+* @param oid Dotted-decimal extension OID.
+* @param extnValue DER-encoded extension payload.
+* @param critical Whether to mark the extension as critical. Default `false`.
+*/
+declare function encodeExtension(oid: string, extnValue: Uint8Array, critical?: boolean): Uint8Array;
+/**
+* DER-encode a {@linkcode BasicConstraints} value.
+*
+* @param input CA flag and optional pathLength.
+* @returns DER SEQUENCE suitable for wrapping in an Extension OCTET STRING.
+*/
+declare function encodeBasicConstraints(input: BasicConstraints): Uint8Array;
+/**
+* DER-encode a Key Usage BIT STRING from an array of {@linkcode KeyUsage} flags.
+*
+* @param usages Flags to set in the bit string.
+*/
+declare function encodeKeyUsage(usages: readonly KeyUsage[]): Uint8Array;
+/**
+* DER-encode a single {@linkcode SubjectAltName} GeneralName element.
+*
+* @param value The SAN entry to encode.
+*/
+declare function encodeSubjectAltName(value: SubjectAltName): Uint8Array;
+/**
+* DER-encode an Extended Key Usage SEQUENCE OF OIDs.
+*
+* @param usages EKU purposes to encode.
+*/
+declare function encodeExtendedKeyUsage(usages: readonly ExtendedKeyUsage[]): Uint8Array;
+/**
+* DER-encode an Authority Information Access SEQUENCE.
+*
+* @param entries AIA entries (OCSP, caIssuers, or custom) to encode.
+*/
+declare function encodeAuthorityInfoAccess(entries: readonly AuthorityInformationAccess[]): Uint8Array;
+/**
+* DER-encode a CRL Distribution Points SEQUENCE.
+*
+* @param points Distribution points to encode.
+*/
+declare function encodeCrlDistributionPoints(points: readonly DistributionPoint[]): Uint8Array;
+/**
+* DER-encode a Name Constraints extension value.
+*
+* @param constraints Permitted and/or excluded subtrees.
+*/
+declare function encodeNameConstraints(constraints: NameConstraints): Uint8Array;
+/**
+* DER-encode a Certificate Policies extension value.
+*
+* @param policies Non-empty array of policy information entries.
+*/
+declare function encodeCertificatePolicies(policies: CertificatePolicies): Uint8Array;
+/**
+* DER-encode a Policy Mappings extension value.
+*
+* @param mappings Non-empty array of issuer-to-subject policy pairs. Neither OID may be anyPolicy.
+*/
+declare function encodePolicyMappings(mappings: PolicyMappings): Uint8Array;
+/**
+* DER-encode a Policy Constraints extension value.
+*
+* @param constraints At least one of `requireExplicitPolicy` or `inhibitPolicyMapping` must be set.
+*/
+declare function encodePolicyConstraints(constraints: PolicyConstraints): Uint8Array;
+/**
+* DER-encode an Inhibit anyPolicy extension value (single INTEGER).
+*
+* @param input The skipCerts threshold.
+*/
+declare function encodeInhibitAnyPolicy(input: InhibitAnyPolicy): Uint8Array;
+/**
+* Resolve an {@linkcode ExtendedKeyUsage} to its dotted-decimal OID.
+*
+* @param usage Well-known string or custom OID object.
+*/
+declare function getExtendedKeyUsageOid(usage: ExtendedKeyUsage): string;
+/**
+* Map a dotted-decimal OID to an {@linkcode ExtendedKeyUsage} value.
+*
+* Returns a well-known string for recognized OIDs, or `{ type: 'oid', value }` otherwise.
+*/
+declare function parseExtendedKeyUsageOid(oid: string): ExtendedKeyUsage;
+/**
+* Resolve an {@linkcode AuthorityInfoAccessMethod} to its dotted-decimal OID.
+*
+* @param method Well-known string or custom OID object.
+*/
+declare function getAuthorityInfoAccessMethodOid(method: AuthorityInfoAccessMethod): string;
+/**
+* Map a dotted-decimal OID to an {@linkcode AuthorityInfoAccessMethod} value.
+*
+* Returns `'ocsp'` or `'caIssuers'` for recognized OIDs, or `{ type: 'oid', value }` otherwise.
+*/
+declare function parseAuthorityInfoAccessMethodOid(oid: string): AuthorityInfoAccessMethod;
+//#endregion
+export { AuthorityInfoAccessMethod, AuthorityInformationAccess, BasicConstraints, CertificateExtensionsInput, CertificatePolicies, CpsPolicyQualifierInfo, CustomAuthorityInfoAccessMethod, CustomExtendedKeyUsage, CustomExtension, CustomPolicyQualifierInfo, DistributionPoint, DistributionPointName, DistributionPointReason, ExtendedKeyUsage, GeneralName, GeneralSubtree, InhibitAnyPolicy, IssuingDistributionPoint, IssuingDistributionPointBase, IssuingDistributionPointForAttributeCerts, IssuingDistributionPointForCaCerts, IssuingDistributionPointForUserCerts, KeyUsage, KnownAuthorityInfoAccessMethod, KnownExtendedKeyUsage, NameConstraintForm, NameConstraints, ParsedNameConstraintForm, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyNoticeReference, PolicyQualifierInfo, SubjectAltName, UnsupportedNameConstraintForm, UserNoticePolicyQualifierInfo, buildCertificateExtensions, buildRequestedExtensions, encodeAuthorityInfoAccess, encodeBasicConstraints, encodeCertificatePolicies, encodeCrlDistributionPoints, encodeExtendedKeyUsage, encodeExtension, encodeInhibitAnyPolicy, encodeKeyUsage, encodeNameConstraints, encodePolicyConstraints, encodePolicyMappings, encodeSubjectAltName, getAuthorityInfoAccessMethodOid, getExtendedKeyUsageOid, parseAuthorityInfoAccessMethodOid, parseExtendedKeyUsageOid };
+//# sourceMappingURL=extensions.d.ts.map

package/dist/x509/extensions.js

@@ -0,0 +1,2 @@
+import{bool as e,concatBytes as t,explicitContext as n,ia5String as r,implicitConstructedContext as i,implicitPrimitiveContext as a,integerFromNumber as o,objectIdentifier as s,octetString as ee,readElement as c,readRootElement as l,readSequenceChildren as u,sequence as d,tlv as te,utf8String as f}from"../internal/asn1/der.js";import{hexToBytes as ne}from"../internal/asn1/asn1.js";import{OIDS as p}from"../internal/asn1/oids.js";import{sha1 as m}from"../internal/crypto/hash.js";import{parseIpAddressToBytes as re}from"../internal/shared/ip.js";import{encodeDistributionPointReasonFlagsContent as h,encodeKeyUsageExtension as g}from"../internal/x509/extension-bits.js";import{encodeRelativeDistinguishedName as ie}from"./name.js";import{AUTHORITY_INFO_ACCESS_EXTENSION_DEFINITION as ae,AUTHORITY_KEY_IDENTIFIER_EXTENSION_DEFINITION as oe,BASIC_CONSTRAINTS_EXTENSION_DEFINITION as _,CERTIFICATE_POLICIES_EXTENSION_DEFINITION as se,CRL_DISTRIBUTION_POINTS_EXTENSION_DEFINITION as ce,EXTENDED_KEY_USAGE_EXTENSION_DEFINITION as le,INHIBIT_ANY_POLICY_EXTENSION_DEFINITION as v,KEY_USAGE_EXTENSION_DEFINITION as y,NAME_CONSTRAINTS_EXTENSION_DEFINITION as b,POLICY_CONSTRAINTS_EXTENSION_DEFINITION as x,POLICY_MAPPINGS_EXTENSION_DEFINITION as S,SUBJECT_ALT_NAME_EXTENSION_DEFINITION as C,SUBJECT_KEY_IDENTIFIER_EXTENSION_DEFINITION as w,getExtensionDefinition as T}from"../internal/x509/extension-registry.js";const E={serverAuth:p.serverAuth,clientAuth:p.clientAuth,codeSigning:p.codeSigning,emailProtection:p.emailProtection,timeStamping:p.timeStamping,ocspSigning:p.ocspSigning},D={ocsp:p.ocspAccessMethod,caIssuers:p.caIssuersAccessMethod};function O(e,t,n,r=!1){let i=[],a=new Set;return j(i,a,_,n?.basicConstraints??{ca:!1}),j(i,a,w,X(e)),t!==void 0&&j(i,a,oe,X(t)),A(i,a,n,`certificate`,{includeBasicConstraints:!1,subjectIsEmpty:r}),i}function k(e){let t=[];return A(t,new Set,e,`csr`,{includeBasicConstraints:!0}),t}function A(e,t,n,r,i){if(n!==void 0){if(i.includeBasicConstraints&&n.basicConstraints!==void 0&&j(e,t,_,n.basicConstraints),n.keyUsage!==void 0&&n.keyUsage.length>0&&j(e,t,y,n.keyUsage),n.subjectAltNames!==void 0&&n.subjectAltNames.length>0){let r=i.subjectIsEmpty===!0?!0:void 0;j(e,t,C,n.subjectAltNames,r)}if(n.extendedKeyUsage!==void 0&&n.extendedKeyUsage.length>0&&j(e,t,le,n.extendedKeyUsage),n.nameConstraints!==void 0&&j(e,t,b,n.nameConstraints),n.certificatePolicies!==void 0&&n.certificatePolicies.length>0&&j(e,t,se,n.certificatePolicies),n.policyMappings!==void 0&&n.policyMappings.length>0&&j(e,t,S,n.policyMappings),n.policyConstraints!==void 0&&j(e,t,x,n.policyConstraints),n.inhibitAnyPolicy!==void 0&&j(e,t,v,n.inhibitAnyPolicy),n.authorityInfoAccess!==void 0&&n.authorityInfoAccess.length>0&&j(e,t,ae,n.authorityInfoAccess),n.crlDistributionPoints!==void 0&&n.crlDistributionPoints.length>0&&j(e,t,ce,n.crlDistributionPoints),n.customExtensions!==void 0)for(let i of n.customExtensions){let n=T(i.oid);if(n!==void 0&&!n.contexts.includes(r))throw Error(`Extension ${i.oid} is not supported in ${r} context`);$(e,t,i.oid,new Uint8Array(i.value),i.critical??!1)}}}function j(e,t,n,r,i=n.defaultCritical){$(e,t,n.oid,n.encode(r),i)}function M(t,n,r=!1){let i=[s(t)];return r&&i.push(e(!0)),i.push(ee(n)),d(i)}function N(t){let n=[];if(t.ca&&n.push(e(!0)),t.pathLength!==void 0){if(!t.ca)throw Error(`pathLength requires ca=true`);n.push(o(t.pathLength))}return d(n)}function P(e){return g(e)}function F(e){switch(e.type){case`dns`:return a(2,new TextEncoder().encode(e.value));case`email`:return a(1,new TextEncoder().encode(e.value));case`uri`:return a(6,new TextEncoder().encode(e.value));case`srv`:return i(0,d([s(p.idOnDnsSrv),n(0,r(e.value))]));case`ip`:return a(7,ve(e.value));case`directoryName`:return i(4,K(e.derHex));case`unknown`:return te(e.tag,e.value);default:throw Error(`Unhandled SubjectAltName type: ${String(e)}`)}}function I(e){return d(e.map(e=>s(q(e))))}function ue(e){return d(e.map(e=>d([s(Y(e.method)),a(6,new TextEncoder().encode(e.uri))])))}function L(e){return d(e.map(e=>d(me(e))))}function R(e){let n=[];return e.permittedSubtrees!==void 0&&e.permittedSubtrees.length>0&&n.push(i(0,t(e.permittedSubtrees.map(G)))),e.excludedSubtrees!==void 0&&e.excludedSubtrees.length>0&&n.push(i(1,t(e.excludedSubtrees.map(G)))),d(n)}function z(e){if(e.length===0)throw Error(`certificatePolicies must not be empty`);return d(e.map(U))}function B(e){if(e.length===0)throw Error(`policyMappings must not be empty`);return d(e.map(e=>{if(Q(e.issuerDomainPolicy),Q(e.subjectDomainPolicy),e.issuerDomainPolicy===p.anyPolicy||e.subjectDomainPolicy===p.anyPolicy)throw Error(`policyMappings must not use anyPolicy`);return d([s(e.issuerDomainPolicy),s(e.subjectDomainPolicy)])}))}function V(e){let t=[];if(e.requireExplicitPolicy!==void 0&&t.push(a(0,W(e.requireExplicitPolicy))),e.inhibitPolicyMapping!==void 0&&t.push(a(1,W(e.inhibitPolicyMapping))),t.length===0)throw Error(`policyConstraints must set requireExplicitPolicy or inhibitPolicyMapping`);return d(t)}function H(e){return o(e.skipCerts)}function U(e){Q(e.policyIdentifier);let t=[s(e.policyIdentifier)];return e.policyQualifiers!==void 0&&e.policyQualifiers.length>0&&t.push(d(e.policyQualifiers.map(de))),d(t)}function de(e){switch(e.type){case`cps`:return d([s(p.cpsPolicyQualifier),r(e.uri)]);case`userNotice`:return d([s(p.userNoticePolicyQualifier),fe(e)]);case`oid`:return Z(e.oid),d([s(e.oid),new Uint8Array(e.qualifierDer)]);default:throw Error(`Unhandled PolicyQualifierInfo type: ${String(e)}`)}}function fe(e){let t=[];return e.noticeRef!==void 0&&t.push(pe(e.noticeRef)),e.explicitText!==void 0&&t.push(f(e.explicitText)),d(t)}function pe(e){return d([f(e.organization),d(e.noticeNumbers.map(e=>o(e)))])}function W(e){return c(o(e)).value}function G(e){return d([ge(e.base)])}function me(e){if(e.crlIssuer!==void 0&&e.crlIssuer.length===0)throw Error(`DistributionPoint crlIssuer must not be empty`);if(e.distributionPoint===void 0&&e.crlIssuer===void 0)throw Error(`DistributionPoint must contain distributionPoint or crlIssuer`);let n=[];return e.distributionPoint!==void 0&&n.push(i(0,he(e.distributionPoint))),e.reasons!==void 0&&e.reasons.length>0&&n.push(a(1,h(e.reasons))),e.crlIssuer!==void 0&&e.crlIssuer.length>0&&n.push(i(2,t(e.crlIssuer.map(F)))),n}function he(e){if(e.fullName!==void 0&&e.relativeName!==void 0)throw Error(`DistributionPointName cannot contain both fullName and relativeName`);if(e.fullName!==void 0){if(e.fullName.length===0)throw Error(`DistributionPointName fullName must not be empty`);return i(0,t(e.fullName.map(F)))}if(e.relativeName!==void 0){let t=ie(e.relativeName),n=c(t);return i(1,t.slice(n.start,n.end))}throw Error(`DistributionPointName must contain fullName or relativeName`)}function ge(e){switch(e.type){case`dns`:return a(2,new TextEncoder().encode(e.value));case`email`:return a(1,new TextEncoder().encode(e.value));case`uri`:return a(6,new TextEncoder().encode(e.value));case`ip`:return a(7,t([e.addressBytes,e.maskBytes]));case`directoryName`:return i(4,K(e.derHex));default:throw Error(`Unhandled NameConstraintForm type: ${String(e)}`)}}function K(e){let t=l(ne(e),{maxDepth:64});if(t.tag!==48)throw Error(`directoryName derHex must encode a DER SEQUENCE`);return new Uint8Array(t.value)}function q(e){return typeof e==`string`?E[e]:(Z(e.value),e.value)}function J(e){switch(e){case p.serverAuth:return`serverAuth`;case p.clientAuth:return`clientAuth`;case p.codeSigning:return`codeSigning`;case p.emailProtection:return`emailProtection`;case p.timeStamping:return`timeStamping`;case p.ocspSigning:return`ocspSigning`}return{type:`oid`,value:e}}function Y(e){return typeof e==`string`?D[e]:(Z(e.value),e.value)}function _e(e){switch(e){case p.ocspAccessMethod:return`ocsp`;case p.caIssuersAccessMethod:return`caIssuers`}return{type:`oid`,value:e}}function ve(e){return re(e)}function X(e){let t=u(e)[1];if(t===void 0||t.tag!==3)throw Error(`SPKI missing subject public key bit string`);return m(t.value.slice(1))}function Z(e){if(!/^\d+(?:\.\d+)+$/.test(e))throw Error(`Invalid OID: ${e}`)}function Q(e){Z(e)}function $(e,t,n,r,i=!1){if(Z(n),t.has(n))throw Error(`Duplicate extension OID: ${n}`);t.add(n),e.push(M(n,r,i))}export{O as buildCertificateExtensions,k as buildRequestedExtensions,X as buildSubjectKeyIdentifier,ue as encodeAuthorityInfoAccess,N as encodeBasicConstraints,z as encodeCertificatePolicies,L as encodeCrlDistributionPoints,I as encodeExtendedKeyUsage,M as encodeExtension,H as encodeInhibitAnyPolicy,P as encodeKeyUsage,R as encodeNameConstraints,V as encodePolicyConstraints,B as encodePolicyMappings,F as encodeSubjectAltName,Y as getAuthorityInfoAccessMethodOid,q as getExtendedKeyUsageOid,_e as parseAuthorityInfoAccessMethodOid,J as parseExtendedKeyUsageOid};
+//# sourceMappingURL=extensions.js.map