node-opcua-crypto 1.7.4 → 1.9.0

package/dist/source_nodejs/read_certificate_signing_request.js

@@ -1,28 +1,28 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.readCertificateSigningRequest = void 0;
-const fs = require("fs");
-const util_1 = require("util");
-const crypto_utils_1 = require("../source/crypto_utils");
-function readCertificateSigningRequest(filename) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const csr = yield (0, util_1.promisify)(fs.readFile)(filename);
-        if (csr[0] === 0x30 && csr[1] === 0x82) {
-            // der format
-            return csr;
-        }
-        const raw_crl = csr.toString();
-        return (0, crypto_utils_1.convertPEMtoDER)(raw_crl);
-    });
-}
-exports.readCertificateSigningRequest = readCertificateSigningRequest;
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readCertificateSigningRequest = void 0;
+const fs = require("fs");
+const util_1 = require("util");
+const crypto_utils_1 = require("../source/crypto_utils");
+function readCertificateSigningRequest(filename) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const csr = yield (0, util_1.promisify)(fs.readFile)(filename);
+        if (csr[0] === 0x30 && csr[1] === 0x82) {
+            // der format
+            return csr;
+        }
+        const raw_crl = csr.toString();
+        return (0, crypto_utils_1.convertPEMtoDER)(raw_crl);
+    });
+}
+exports.readCertificateSigningRequest = readCertificateSigningRequest;
 //# sourceMappingURL=read_certificate_signing_request.js.map

package/dist/verify_cerficate_signature.d.ts

@@ -0,0 +1,10 @@
+/// <reference types="node" />
+import { Certificate } from "./common";
+export declare function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCerticate: Certificate): boolean;
+export declare function verifyCertificateSignature(certificate: Certificate, parentCerticate: Certificate): boolean;
+export declare function verifyCertificateRevocationListSignature(certificateRevocationList: Certificate, parentCerticate: Certificate): boolean;
+export declare type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
+export declare function verifyCertificateChain(certificateChain: Certificate[]): Promise<{
+    status: _VerifyStatus;
+    reason: string;
+}>;

package/dist/verify_cerficate_signature.js

@@ -0,0 +1,102 @@
+"use strict";
+// tslint:disable: no-console
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyCertificateChain = exports.verifyCertificateRevocationListSignature = exports.verifyCertificateSignature = exports.verifyCertificateOrClrSignature = void 0;
+// Now that we got a hash of the orginal certificate,
+// we need to verify if we can obtain the same hash by using the same hashing function
+// (in this case SHA-384). In order to do that, we need to extract just the body of
+// the signed certificate. Which, in our case, is everything but the signature.
+// The start of the body is always the first digit of the second line of the following command:
+const crypto = require("crypto");
+const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
+const crypto_utils_1 = require("./crypto_utils");
+const asn1_1 = require("./asn1");
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCerticate) {
+    const block_info = asn1_1.readTag(certificateOrCrl, 0);
+    const blocks = asn1_1._readStruct(certificateOrCrl, block_info);
+    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
+    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
+    const signatureAlgorithm = asn1_1._readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+    const signatureValue = asn1_1._readSignatureValueBin(certificateOrCrl, blocks[2]);
+    const p = crypto_explore_certificate_1.split_der(parentCerticate)[0];
+    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
+    const certPem = crypto_utils_1.toPem(p, "CERTIFICATE");
+    const verify = crypto.createVerify(signatureAlgorithm.identifier);
+    verify.update(bufferToBeSigned);
+    verify.end();
+    return verify.verify(certPem, signatureValue);
+}
+exports.verifyCertificateOrClrSignature = verifyCertificateOrClrSignature;
+function verifyCertificateSignature(certificate, parentCerticate) {
+    return verifyCertificateOrClrSignature(certificate, parentCerticate);
+}
+exports.verifyCertificateSignature = verifyCertificateSignature;
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCerticate) {
+    return verifyCertificateOrClrSignature(certificateRevocationList, parentCerticate);
+}
+exports.verifyCertificateRevocationListSignature = verifyCertificateRevocationListSignature;
+function verifyCertificateChain(certificateChain) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // verify that all the certificate
+        // second certificate must be used for CertificateSign
+        for (let index = 1; index < certificateChain.length; index++) {
+            const cert = certificateChain[index - 1];
+            const certParent = certificateChain[index];
+            // parent child must have keyCertSign
+            const certParentInfo = crypto_explore_certificate_1.exploreCertificate(certParent);
+            const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
+            // istanbul ignore next
+            if (!keyUsage.keyCertSign) {
+                return {
+                    status: "BadCertificateIssuerUseNotAllowed",
+                    reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
+                };
+            }
+            const parentSignChild = verifyCertificateSignature(cert, certParent);
+            if (!parentSignChild) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "One of the certificate in the chain is not signing the previous certificate",
+                };
+            }
+            const certInfo = crypto_explore_certificate_1.exploreCertificate(cert);
+            // istanbul ignore next
+            if (!certInfo.tbsCertificate.extensions) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "Cannot finx X409 Extension 3 in certificate",
+                };
+            }
+            // istanbul ignore next
+            if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "Cannot finx X409 Extension 3 in certificate (parent)",
+                };
+            }
+            // istanbul ignore next
+            if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
+                certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
+                };
+            }
+        }
+        return {
+            status: "Good",
+            reason: `certificate chain is valid(length = ${certificateChain.length})`,
+        };
+    });
+}
+exports.verifyCertificateChain = verifyCertificateChain;
+//# sourceMappingURL=verify_cerficate_signature.js.map

package/dist/verify_cerficate_signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify_cerficate_signature.js","sourceRoot":"","sources":["../lib/verify_cerficate_signature.ts"],"names":[],"mappings":";AAAA,6BAA6B;;;;;;;;;;;;AAE7B,qDAAqD;AACrD,sFAAsF;AACtF,mFAAmF;AACnF,+EAA+E;AAC/E,+FAA+F;AAC/F,iCAAiC;AAGjC,6EAGsC;AACtC,iDAAuC;AACvC,iCAOgB;AAMhB,SAAgB,+BAA+B,CAC3C,gBAAwB,EACxB,eAA4B;IAG5B,MAAM,UAAU,GAAG,cAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,kBAAW,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACzD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE7F,gKAAgK;IAChK,MAAM,kBAAkB,GAAG,+BAAwB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACjF,MAAM,cAAc,GAAG,6BAAsB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3E,MAAM,CAAC,GAAG,sCAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,iEAAiE;IACjE,MAAM,OAAO,GAAG,oBAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAClE,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAChC,MAAM,CAAC,GAAG,EAAE,CAAC;IACb,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;AAClD,CAAC;AApBD,0EAoBC;AAED,SAAgB,0BAA0B,CACtC,WAAwB,EACxB,eAA4B;IAE5B,OAAO,+BAA+B,CAAC,WAAW,EAAE,eAAe,CAAC,CAAA;AACxE,CAAC;AALD,gEAKC;AACD,SAAgB,wCAAwC,CACpD,yBAAsC,EACtC,eAA4B;IAE5B,OAAO,+BAA+B,CAAC,yBAAyB,EAAE,eAAe,CAAC,CAAA;AACtF,CAAC;AALD,4FAKC;AAID,SAAsB,sBAAsB,CAAC,gBAA+B;;QACxE,kCAAkC;QAClC,sDAAsD;QAEtD,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,gBAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE;YAC1D,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YACzC,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YAE3C,qCAAqC;YACrC,MAAM,cAAc,GAAG,+CAAkB,CAAC,UAAU,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAG,cAAc,CAAC,cAAc,CAAC,UAAW,CAAC,QAAS,CAAC;YAErE,uBAAuB;YACvB,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE;gBACvB,OAAO;oBACH,MAAM,EAAE,mCAAmC;oBAC3C,MAAM,EAAE,kFAAkF;iBAC7F,CAAC;aACL;YAED,MAAM,eAAe,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YACrE,IAAI,CAAC,eAAe,EAAE;gBAClB,OAAO;oBACH,MAAM,EAAE,uBAAuB;oBAC/B,MAAM,EAAE,6EAA6E;iBACxF,CAAC;aACL;YACD,MAAM,QAAQ,GAAG,+CAAkB,CAAC,IAAI,CAAC,CAAC;YAE1C,uBAAuB;YACvB,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,UAAU,EAAE;gBACrC,OAAO;oBACH,MAAM,EAAE,uBAAuB;oBAC/B,MAAM,EAAE,6CAA6C;iBACxD,CAAC;aACL;YAED,uBAAuB;YACvB,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,UAAU,CAAC,sBAAsB,EAAE;gBACzG,OAAO;oBACH,MAAM,EAAE,uBAAuB;oBAC/B,MAAM,EAAE,sDAAsD;iBACjE,CAAC;aACL;YAED,uBAAuB;YACvB,IACI,cAAc,CAAC,cAAc,CAAC,UAAU,CAAC,oBAAoB;gBAC7D,QAAQ,CAAC,cAAc,CAAC,UAAU,CAAC,sBAAsB,CAAC,aAAa,EACzE;gBACE,OAAO;oBACH,MAAM,EAAE,uBAAuB;oBAC/B,MAAM,EACF,0HAA0H;iBACjI,CAAC;aACL;SACJ;QACD,OAAO;YACH,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,uCAAuC,gBAAgB,CAAC,MAAM,GAAG;SAC5E,CAAC;IACN,CAAC;CAAA;AA7DD,wDA6DC"}

package/index.d.ts

@@ -1,2 +1,2 @@
-export * from "./dist/source";
-export * from "./dist/source_nodejs";
+export * from "./dist/source";
+export * from "./dist/source_nodejs";

package/index.js

@@ -1,4 +1,4 @@
-module.exports = {
-    ...require("./dist/source"),
-    ...require("./dist/source_nodejs"),
-};
+module.exports = {
+    ...require("./dist/source"),
+    ...require("./dist/source_nodejs"),
+};

package/index_web.js

@@ -1,3 +1,3 @@
-module.exports = {
-    ...require("./dist/source"),
-};
+module.exports = {
+    ...require("./dist/source"),
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-opcua-crypto",
-  "version": "1.7.4",
+  "version": "1.9.0",
   "description": "Crypto tools for Node-OPCUA",
   "main": "./index.js",
   "types": "./index.d.ts",
@@ -15,7 +15,7 @@
     "cost-of-modules": "npx cost-of-modules --no-install",
     "release-it": "npx release-it",
     "prettier-format": "prettier --config .prettierrc.js lib/**/*.ts test/**/*.ts --write",
-    "ncu": "npx npm-check-updates -u"
+    "ncu": "npx npm-check-updates -u -x env-paths,chalk"
   },
   "keywords": [
     "OPCUA",
@@ -28,28 +28,28 @@
   "author": "Etienne Rossignon",
   "license": "MIT",
   "devDependencies": {
-    "@types/mocha": "^9.0.0",
-    "@types/node": "^16.7.10",
-    "@typescript-eslint/eslint-plugin": "^4.30.0",
-    "@typescript-eslint/parser": "^4.30.0",
-    "eslint": "^7.32.0",
-    "eslint-config-prettier": "^8.3.0",
+    "@types/mocha": "^9.1.0",
+    "@types/node": "^17.0.21",
+    "@typescript-eslint/eslint-plugin": "^5.12.1",
+    "@typescript-eslint/parser": "^5.12.1",
+    "eslint": "^8.10.0",
+    "eslint-config-prettier": "^8.4.0",
     "eslint-plugin-prettier": "^4.0.0",
-    "lorem-ipsum": "^2.0.3",
-    "mocha": "^9.1.1",
-    "prettier": "^2.3.2",
+    "lorem-ipsum": "^2.0.4",
+    "mocha": "^9.2.1",
+    "prettier": "^2.5.1",
     "should": "^13.2.3",
     "source-map": "^0.7.3",
-    "source-map-support": "^0.5.19",
-    "ts-node": "^10.2.1",
-    "typescript": "^4.4.2"
+    "source-map-support": "^0.5.21",
+    "ts-node": "^10.5.0",
+    "typescript": "^4.5.5"
   },
   "dependencies": {
     "better-assert": "^1.0.2",
     "chalk": "^4.1.2",
-    "hexy": "^0.3.2",
-    "jsrsasign": "^10.4.0",
-    "sshpk": "^1.16.1"
+    "hexy": "0.3.4",
+    "jsrsasign": "^10.5.8",
+    "sshpk": "^1.17.0"
   },
   "repository": {
     "type": "git",