node-opcua-crypto 1.11.0 → 2.0.0

package/source/public_private_match.ts

@@ -1,18 +1,41 @@
-import { exploreCertificate } from ".";
-import { Certificate } from "./common";
-import { PrivateKey } from "./common";
-import { explorePrivateKey } from "./explore_private_key";
-
-export function  publicKeyAndPrivateKeyMatches(certificate: Certificate,privateKey: PrivateKey): boolean {
-
-    const i = exploreCertificate(certificate);
-    const j = explorePrivateKey(privateKey);
-
-    const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
-    const modulus2 = j.modulus;
-    
-    if (modulus1.length != modulus2.length) {
-        return false;
-    }
-    return modulus1.toString("hex") === modulus2.toString("hex");
-}
+import { explorePrivateKey } from "./explore_private_key";
+import { Certificate, CertificatePEM, PrivateKey, PrivateKeyPEM } from "./common";
+import { privateDecrypt_long, publicEncrypt_long, toPem } from "./crypto_utils";
+import { exploreCertificate } from "./crypto_explore_certificate";
+
+export function  publicKeyAndPrivateKeyMatches(certificate: Certificate,privateKey: PrivateKey): boolean {
+
+    const i = exploreCertificate(certificate);
+    const j = explorePrivateKey(privateKey);
+
+    const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
+    const modulus2 = j.modulus;
+    
+    if (modulus1.length != modulus2.length) {
+        return false;
+    }
+    return modulus1.toString("hex") === modulus2.toString("hex");
+}
+
+
+
+/**
+ * check that the given certificate matches the given private key
+ * @param certificate
+ * @param privateKey
+ */
+function certificateMatchesPrivateKeyPEM(certificate: CertificatePEM, privateKey: PrivateKeyPEM, blockSize: number): boolean {
+    const initialBuffer = Buffer.from("Lorem Ipsum");
+    const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize, 11);
+    const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
+    const finalString = decryptedBuffer.toString("utf-8");
+    return initialBuffer.toString("utf-8") === finalString;
+}
+
+export function certificateMatchesPrivateKey(certificate: Certificate, privateKey: PrivateKey): boolean {
+    const e = explorePrivateKey(privateKey);
+    const blockSize = e.modulus.length;
+    const certificatePEM = toPem(certificate, "CERTIFICATE");
+    const privateKeyPEM = toPem(privateKey, "RSA PRIVATE KEY");
+    return certificateMatchesPrivateKeyPEM(certificatePEM, privateKeyPEM, blockSize);
+}

package/source/verify_certificate_signature.ts

@@ -1,105 +1,105 @@
-// tslint:disable: no-console
-
-// Now that we got a hash of the original certificate,
-// we need to verify if we can obtain the same hash by using the same hashing function
-// (in this case SHA-384). In order to do that, we need to extract just the body of
-// the signed certificate. Which, in our case, is everything but the signature.
-// The start of the body is always the first digit of the second line of the following command:
-import * as crypto from "crypto";
-
-import { Certificate, PrivateKey } from "./common";
-import { split_der, exploreCertificate } from "./crypto_explore_certificate";
-import { toPem } from "./crypto_utils";
-import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
-
-export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
-    const block_info = readTag(certificateOrCrl, 0);
-    const blocks = _readStruct(certificateOrCrl, block_info);
-    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
-
-    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
-    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
-
-    const p = split_der(parentCertificate)[0];
-    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
-    const certPem = toPem(p, "CERTIFICATE");
-    const verify = crypto.createVerify(signatureAlgorithm.identifier);
-    verify.update(bufferToBeSigned);
-    verify.end();
-    return verify.verify(certPem, signatureValue);
-}
-
-export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
-    return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-export function verifyCertificateRevocationListSignature(
-    certificateRevocationList: Certificate,
-    parentCertificate: Certificate
-): boolean {
-    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-
-export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
-export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
-    // verify that all the certificate
-    // second certificate must be used for CertificateSign
-
-    for (let index = 1; index < certificateChain.length; index++) {
-        const cert = certificateChain[index - 1];
-        const certParent = certificateChain[index];
-
-        // parent child must have keyCertSign
-        const certParentInfo = exploreCertificate(certParent);
-        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
-
-        // istanbul ignore next
-        if (!keyUsage.keyCertSign) {
-            return {
-                status: "BadCertificateIssuerUseNotAllowed",
-                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
-            };
-        }
-
-        const parentSignChild = verifyCertificateSignature(cert, certParent);
-        if (!parentSignChild) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "One of the certificate in the chain is not signing the previous certificate",
-            };
-        }
-        const certInfo = exploreCertificate(cert);
-
-        // istanbul ignore next
-        if (!certInfo.tbsCertificate.extensions) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate",
-            };
-        }
-
-        // istanbul ignore next
-        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate (parent)",
-            };
-        }
-
-        // istanbul ignore next
-        if (
-            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
-            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
-        ) {
-            return {
-                status: "BadCertificateInvalid",
-                reason:
-                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
-            };
-        }
-    }
-    return {
-        status: "Good",
-        reason: `certificate chain is valid(length = ${certificateChain.length})`,
-    };
-}
+// tslint:disable: no-console
+
+// Now that we got a hash of the original certificate,
+// we need to verify if we can obtain the same hash by using the same hashing function
+// (in this case SHA-384). In order to do that, we need to extract just the body of
+// the signed certificate. Which, in our case, is everything but the signature.
+// The start of the body is always the first digit of the second line of the following command:
+import * as crypto from "crypto";
+
+import { Certificate, PrivateKey } from "./common";
+import { split_der, exploreCertificate } from "./crypto_explore_certificate";
+import { toPem } from "./crypto_utils";
+import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
+
+export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
+    const block_info = readTag(certificateOrCrl, 0);
+    const blocks = _readStruct(certificateOrCrl, block_info);
+    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
+
+    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
+    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
+
+    const p = split_der(parentCertificate)[0];
+    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
+    const certPem = toPem(p, "CERTIFICATE");
+    const verify = crypto.createVerify(signatureAlgorithm.identifier);
+    verify.update(bufferToBeSigned);
+    verify.end();
+    return verify.verify(certPem, signatureValue);
+}
+
+export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
+    return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+export function verifyCertificateRevocationListSignature(
+    certificateRevocationList: Certificate,
+    parentCertificate: Certificate
+): boolean {
+    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+
+export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
+export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
+    // verify that all the certificate
+    // second certificate must be used for CertificateSign
+
+    for (let index = 1; index < certificateChain.length; index++) {
+        const cert = certificateChain[index - 1];
+        const certParent = certificateChain[index];
+
+        // parent child must have keyCertSign
+        const certParentInfo = exploreCertificate(certParent);
+        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
+
+        // istanbul ignore next
+        if (!keyUsage.keyCertSign) {
+            return {
+                status: "BadCertificateIssuerUseNotAllowed",
+                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
+            };
+        }
+
+        const parentSignChild = verifyCertificateSignature(cert, certParent);
+        if (!parentSignChild) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "One of the certificate in the chain is not signing the previous certificate",
+            };
+        }
+        const certInfo = exploreCertificate(cert);
+
+        // istanbul ignore next
+        if (!certInfo.tbsCertificate.extensions) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate",
+            };
+        }
+
+        // istanbul ignore next
+        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate (parent)",
+            };
+        }
+
+        // istanbul ignore next
+        if (
+            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
+            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
+        ) {
+            return {
+                status: "BadCertificateInvalid",
+                reason:
+                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
+            };
+        }
+    }
+    return {
+        status: "Good",
+        reason: `certificate chain is valid(length = ${certificateChain.length})`,
+    };
+}

package/source_nodejs/index.ts

@@ -1,3 +1,3 @@
-export * from "./read";
-export * from "./read_certificate_revocation_list";
+export * from "./read";
+export * from "./read_certificate_revocation_list";
 export * from "./read_certificate_signing_request";

package/source_nodejs/read.ts

@@ -1,95 +1,95 @@
-import * as assert from "assert";
-import * as fs from "fs";
-import * as path from "path";
-import { Certificate, CertificatePEM, DER, PEM, PrivateKey, PrivateKeyPEM, PublicKey, PublicKeyPEM } from "../source/common";
-import { convertPEMtoDER, identifyPemType } from "../source/crypto_utils";
-const sshpk = require("sshpk");
-
-/**
- * @method readKeyPem
- * @param filename
- */
-export function readKeyPem(filename: string): string {
-    const raw_key = fs.readFileSync(filename, "utf8");
-    const pemType = identifyPemType(raw_key);
-    assert(typeof pemType === "string"); // must have a valid pem type
-    return raw_key;
-}
-
-function _readPemFile(filename: string): PEM {
-    assert(typeof filename === "string");
-    return fs.readFileSync(filename, "ascii");
-}
-
-function _readPemOrDerFileAsDER(filename: string): DER {
-    if (filename.match(/.*\.der/)) {
-        return fs.readFileSync(filename) as Buffer;
-    }
-    const raw_key: string = _readPemFile(filename);
-    return convertPEMtoDER(raw_key);
-}
-
-/**
- * read a DER or PEM certificate from file
- */
-export function readCertificate(filename: string): Certificate {
-    return _readPemOrDerFileAsDER(filename) as Certificate;
-}
-
-/**
- * read a DER or PEM certificate from file
- */
-export function readPublicKey(filename: string): PublicKey {
-    return _readPemOrDerFileAsDER(filename) as PublicKey;
-}
-
-/**
- * read a DER or PEM certificate from file
- */
-export function readPrivateKey(filename: string): PrivateKey {
-    return _readPemOrDerFileAsDER(filename) as PrivateKey;
-}
-
-export function readCertificatePEM(filename: string): CertificatePEM {
-    return _readPemFile(filename);
-}
-
-export function readPublicKeyPEM(filename: string): PublicKeyPEM {
-    return _readPemFile(filename);
-}
-
-export function readPrivateKeyPEM(filename: string): PrivateKeyPEM {
-    return _readPemFile(filename);
-}
-let __certificate_store = path.join(__dirname, "../../certificates/");
-
-export function setCertificateStore(store: string): string {
-    const old_store = __certificate_store;
-    __certificate_store = store;
-    return old_store;
-}
-
-export function read_sshkey_as_pem(filename: string): PublicKeyPEM {
-    if (filename.substr(0, 1) !== ".") {
-        filename = __certificate_store + filename;
-    }
-    const key: string = fs.readFileSync(filename, "ascii");
-    const sshKey = sshpk.parseKey(key, "ssh");
-
-    return sshKey.toString("pkcs8") as PEM;
-}
-
-/**
- *
- * @param filename
- */
-export function readPrivateRsaKey(filename: string): PrivateKeyPEM {
-    if (filename.substr(0, 1) !== "." && !fs.existsSync(filename)) {
-        filename = __certificate_store + filename;
-    }
-    return fs.readFileSync(filename, "ascii") as string;
-}
-
-export function readPublicRsaKey(filename: string): PublicKeyPEM {
-    return readPrivateRsaKey(filename);
-}
+import * as assert from "assert";
+import * as fs from "fs";
+import * as path from "path";
+import { Certificate, CertificatePEM, DER, PEM, PrivateKey, PrivateKeyPEM, PublicKey, PublicKeyPEM } from "../source/common";
+import { convertPEMtoDER, identifyPemType } from "../source/crypto_utils";
+const sshpk = require("sshpk");
+
+/**
+ * @method readKeyPem
+ * @param filename
+ */
+export function readKeyPem(filename: string): string {
+    const raw_key = fs.readFileSync(filename, "utf8");
+    const pemType = identifyPemType(raw_key);
+    assert(typeof pemType === "string"); // must have a valid pem type
+    return raw_key;
+}
+
+function _readPemFile(filename: string): PEM {
+    assert(typeof filename === "string");
+    return fs.readFileSync(filename, "ascii");
+}
+
+function _readPemOrDerFileAsDER(filename: string): DER {
+    if (filename.match(/.*\.der/)) {
+        return fs.readFileSync(filename) as Buffer;
+    }
+    const raw_key: string = _readPemFile(filename);
+    return convertPEMtoDER(raw_key);
+}
+
+/**
+ * read a DER or PEM certificate from file
+ */
+export function readCertificate(filename: string): Certificate {
+    return _readPemOrDerFileAsDER(filename) as Certificate;
+}
+
+/**
+ * read a DER or PEM certificate from file
+ */
+export function readPublicKey(filename: string): PublicKey {
+    return _readPemOrDerFileAsDER(filename) as PublicKey;
+}
+
+/**
+ * read a DER or PEM certificate from file
+ */
+export function readPrivateKey(filename: string): PrivateKey {
+    return _readPemOrDerFileAsDER(filename) as PrivateKey;
+}
+
+export function readCertificatePEM(filename: string): CertificatePEM {
+    return _readPemFile(filename);
+}
+
+export function readPublicKeyPEM(filename: string): PublicKeyPEM {
+    return _readPemFile(filename);
+}
+
+export function readPrivateKeyPEM(filename: string): PrivateKeyPEM {
+    return _readPemFile(filename);
+}
+let __certificate_store = path.join(__dirname, "../../certificates/");
+
+export function setCertificateStore(store: string): string {
+    const old_store = __certificate_store;
+    __certificate_store = store;
+    return old_store;
+}
+
+export function read_sshkey_as_pem(filename: string): PublicKeyPEM {
+    if (filename.substring(0, 1) !== ".") {
+        filename = __certificate_store + filename;
+    }
+    const key: string = fs.readFileSync(filename, "ascii");
+    const sshKey = sshpk.parseKey(key, "ssh");
+
+    return sshKey.toString("pkcs8") as PEM;
+}
+
+/**
+ *
+ * @param filename
+ */
+export function readPrivateRsaKey(filename: string): PrivateKeyPEM {
+    if (filename.substring(0, 1) !== "." && !fs.existsSync(filename)) {
+        filename = __certificate_store + filename;
+    }
+    return fs.readFileSync(filename, "ascii") as string;
+}
+
+export function readPublicRsaKey(filename: string): PublicKeyPEM {
+    return readPrivateRsaKey(filename);
+}

package/source_nodejs/read_certificate_revocation_list.ts

@@ -1,14 +1,14 @@
-import * as fs from "fs";
-import { promisify } from "util";
-import { convertPEMtoDER } from "../source/crypto_utils";
-import { CertificateRevocationList } from "../source/common";
-
-export async function readCertificateRevocationList(filename: string): Promise<CertificateRevocationList> {
-    const crl = await promisify(fs.readFile)(filename);
-    if (crl[0] === 0x30 && crl[1] === 0x82) {
-        // der format
-        return crl as CertificateRevocationList;
-    }
-    const raw_crl = crl.toString();
-    return convertPEMtoDER(raw_crl);
-}
+import * as fs from "fs";
+import { promisify } from "util";
+import { convertPEMtoDER } from "../source/crypto_utils";
+import { CertificateRevocationList } from "../source/common";
+
+export async function readCertificateRevocationList(filename: string): Promise<CertificateRevocationList> {
+    const crl = await promisify(fs.readFile)(filename);
+    if (crl[0] === 0x30 && crl[1] === 0x82) {
+        // der format
+        return crl as CertificateRevocationList;
+    }
+    const raw_crl = crl.toString();
+    return convertPEMtoDER(raw_crl);
+}

package/source_nodejs/read_certificate_signing_request.ts

@@ -1,17 +1,17 @@
-import * as fs from "fs";
-import { promisify } from "util";
-import { convertPEMtoDER } from "../source/crypto_utils";
-import { CertificateRevocationList } from "../source/common";
-import { assert } from "console";
-
-export type CertificateSigningRequest = Buffer;
-
-export async function readCertificateSigningRequest(filename: string): Promise<CertificateSigningRequest> {
-    const csr = await promisify(fs.readFile)(filename);
-    if (csr[0] === 0x30 && csr[1] === 0x82) {
-        // der format
-        return csr as CertificateRevocationList;
-    }
-    const raw_crl = csr.toString();
-    return convertPEMtoDER(raw_crl);
-}
+import * as fs from "fs";
+import { promisify } from "util";
+import { convertPEMtoDER } from "../source/crypto_utils";
+import { CertificateRevocationList } from "../source/common";
+import { assert } from "console";
+
+export type CertificateSigningRequest = Buffer;
+
+export async function readCertificateSigningRequest(filename: string): Promise<CertificateSigningRequest> {
+    const csr = await promisify(fs.readFile)(filename);
+    if (csr[0] === 0x30 && csr[1] === 0x82) {
+        // der format
+        return csr as CertificateRevocationList;
+    }
+    const raw_crl = csr.toString();
+    return convertPEMtoDER(raw_crl);
+}

package/test_certificate.ts

@@ -1,34 +1,34 @@
-// tslint:disable: no-console
-import * as fs from "fs";
-import { exploreCertificate, readCertificate } from ".";
-
-async function testCertificate(filename: string): Promise<void> {
-    const cert1 = await readCertificate(filename);
-    try {
-        const info = exploreCertificate(cert1);
-        //        console.log(info);
-    } catch (err) {
-        console.log(filename, "err = ", err.message);
-    }
-}
-async function testCertificate1(filename: string): Promise<void> {
-    const cert1 = fs.readFileSync(filename);
-    try {
-        const info = exploreCertificate(cert1);
-        //        console.log(info);
-    } catch (err) {
-        console.log(filename, "err = ", err.message);
-        console.log(err);
-        throw err;
-    }
-}
-
-(async () => {
-    try {
-        testCertificate1("./read.cer");
-        testCertificate1("./unsol.cer");
-        testCertificate1("./write.cer");
-    } catch (err) {
-        console.log("???? ERR !!!! ", err.message);
-    }
-})();
+// tslint:disable: no-console
+import * as fs from "fs";
+import { exploreCertificate, readCertificate } from ".";
+
+async function testCertificate(filename: string): Promise<void> {
+    const cert1 = await readCertificate(filename);
+    try {
+        const info = exploreCertificate(cert1);
+        //        console.log(info);
+    } catch (err) {
+        console.log(filename, "err = ", err.message);
+    }
+}
+async function testCertificate1(filename: string): Promise<void> {
+    const cert1 = fs.readFileSync(filename);
+    try {
+        const info = exploreCertificate(cert1);
+        //        console.log(info);
+    } catch (err) {
+        console.log(filename, "err = ", err.message);
+        console.log(err);
+        throw err;
+    }
+}
+
+(async () => {
+    try {
+        testCertificate1("./read.cer");
+        testCertificate1("./unsol.cer");
+        testCertificate1("./write.cer");
+    } catch (err) {
+        console.log("???? ERR !!!! ", err.message);
+    }
+})();

package/tsconfig.json

@@ -1,18 +1,18 @@
-{
-    "compilerOptions": {
-        "skipLibCheck": true,
-        "target": "es6",
-        "moduleResolution": "node",
-        "module": "commonjs",
-        "declaration": true,
-        "outDir": "./dist",
-        "sourceMap": true,
-        "strict": true,
-        "listFiles": false,
-        "traceResolution": false,
-        "incremental": true,
-        "types": ["node", "mocha", "should"],
-        "rootDir": "."
-    },
-    "files": ["source/index.ts", "source_nodejs/index.ts"]
-}
+{
+    "compilerOptions": {
+        "skipLibCheck": true,
+        "target": "es6",
+        "moduleResolution": "node",
+        "module": "commonjs",
+        "declaration": true,
+        "outDir": "./dist",
+        "sourceMap": true,
+        "strict": true,
+        "listFiles": false,
+        "traceResolution": false,
+        "incremental": true,
+        "types": ["node", "mocha", "should"],
+        "rootDir": "."
+    },
+    "files": ["source/index.ts", "source_nodejs/index.ts"]
+}