node-opcua-crypto 1.8.0 → 1.9.0

package/dist/derived_keys.js

@@ -0,0 +1,247 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyChunkSignatureWithDerivedKeys = exports.makeMessageChunkSignatureWithDerivedKeys = exports.decryptBufferWithDerivedKeys = exports.encryptBufferWithDerivedKeys = exports.computePaddingFooter = exports.verifyChunkSignature = exports.removePadding = exports.reduceLength = exports.computeDerivedKeys = exports.makePseudoRandomBuffer = void 0;
+/**
+ * @module node_opcua_crypto
+ */
+const crypto = require("crypto");
+const _ = require("underscore");
+const buffer_utils_1 = require("./buffer_utils");
+const crypto_utils_1 = require("./crypto_utils");
+const explore_certificate_1 = require("./explore_certificate");
+const assert = require("assert");
+function HMAC_HASH(sha1or256, secret, message) {
+    return crypto.createHmac(sha1or256, secret).update(message).digest();
+}
+function plus(buf1, buf2) {
+    return Buffer.concat([buf1, buf2]);
+}
+// OPC-UA Spec 1.02 part 6 - 6.7.5  Deriving Keys page 42
+// Once the  SecureChannel  is established the  Messages  are signed and encrypted with keys derived
+// from the  Nonces  exchanged in t he  OpenSecureChannel  call. These keys are derived by passing the
+// Nonces  to a pseudo - random function which produces a sequence of bytes from a set of inputs.   A
+// pseudo- random function  is represented by the following function declaration:
+// Byte[] PRF(
+//     Byte[] secret,
+//     Byte[] seed,
+//     Int32 length,
+//     Int32 offset
+// )
+// Where length   is the number of bytes to return and  offset  is a number of bytes from the beginning of
+// the sequence.
+// The lengths of the keys that need to be generated depend on the  SecurityPolicy  used for the
+//    channel. The following information is specified by the  SecurityPolicy:
+//    a)  SigningKeyLength  (from the  DerivedSignatureKeyLength);
+//    b)  EncryptingKeyLength  (implied by the  SymmetricEncryptionAlgorithm);
+//    c)  EncryptingBlockSize  (implied by the  SymmetricEncryptionAlgorithm).
+//  The parameters  passed to the pseudo random function are specified in  Table 36.
+//  Table 36  - Cryptography Key Generation Parameters
+//
+// Key                         Secret       Seed         Length               Offset
+// ClientSigningKey            ServerNonce  ClientNonce  SigningKeyLength     0
+// ClientEncryptingKey         ServerNonce  ClientNonce  EncryptingKeyLength  SigningKeyLength
+// ClientInitializationVector  ServerNonce  ClientNonce  EncryptingBlockSize  SigningKeyLength+ EncryptingKeyLength
+// ServerSigningKey            ClientNonce  ServerNonce  SigningKeyLength     0
+// ServerEncryptingKey         ClientNonce  ServerNonce  EncryptingKeyLength  SigningKeyLength
+// ServerInitializationVector  ClientNonce  ServerNonce  EncryptingBlockSize  SigningKeyLength+ EncryptingKeyLength
+//
+// The  Client  keys are used to secure  Messages  sent by the  Client. The  Server  keys are used to
+// secure Messages  sent by the  Server.
+// The SSL/TLS  specification  defines a pseudo random function called P_HASH which is used for this purpose.
+//
+// The P_HASH  algorithm is defined as follows:
+//
+//    P_HASH(secret, seed) = HMAC_HASH(secret, A(1) + seed) +
+//                            HMAC_HASH(secret, A(2) + seed) +
+//                            HMAC_HASH(secret, A(3) + seed) + ...
+// Where A(n) is defined as:
+//       A(0) = seed
+//       A(n) = HMAC_HASH(secret, A(n-1))
+//            + indicates that the results are appended to previous results.
+// Where HASH is a hash function such as SHA1 or SHA256. The hash function to use depends on the SecurityPolicyUri.
+//
+//
+// see also http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html
+//          http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
+function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
+    assert(seed instanceof Buffer);
+    assert(sha1or256 === "SHA1" || sha1or256 === "SHA256");
+    const a = [];
+    a[0] = seed;
+    let index = 1;
+    let p_hash = buffer_utils_1.createFastUninitializedBuffer(0);
+    while (p_hash.length <= minLength) {
+        /* eslint  new-cap:0 */
+        a[index] = HMAC_HASH(sha1or256, secret, a[index - 1]);
+        p_hash = plus(p_hash, HMAC_HASH(sha1or256, secret, plus(a[index], seed)));
+        index += 1;
+    }
+    return p_hash.slice(0, minLength);
+}
+exports.makePseudoRandomBuffer = makePseudoRandomBuffer;
+function computeDerivedKeys(secret, seed, options) {
+    assert(_.isFinite(options.signatureLength));
+    assert(_.isFinite(options.encryptingKeyLength));
+    assert(_.isFinite(options.encryptingBlockSize));
+    assert(typeof options.algorithm === "string");
+    options.sha1or256 = options.sha1or256 || "SHA1";
+    assert(typeof options.sha1or256 === "string");
+    const offset1 = options.signingKeyLength;
+    const offset2 = offset1 + options.encryptingKeyLength;
+    const minLength = offset2 + options.encryptingBlockSize;
+    const buf = makePseudoRandomBuffer(secret, seed, minLength, options.sha1or256);
+    return {
+        signatureLength: options.signatureLength,
+        signingKeyLength: options.signingKeyLength,
+        encryptingKeyLength: options.encryptingKeyLength,
+        encryptingBlockSize: options.encryptingBlockSize,
+        algorithm: options.algorithm,
+        sha1or256: options.sha1or256,
+        signingKey: buf.slice(0, offset1),
+        encryptingKey: buf.slice(offset1, offset2),
+        initializationVector: buf.slice(offset2, minLength),
+    };
+}
+exports.computeDerivedKeys = computeDerivedKeys;
+/**
+ * @method reduceLength
+ * @param buffer
+ * @param byteToRemove
+ * @return buffer
+ */
+function reduceLength(buffer, byteToRemove) {
+    return buffer.slice(0, buffer.length - byteToRemove);
+}
+exports.reduceLength = reduceLength;
+/**
+ * @method removePadding
+ * @param buffer
+ * @return buffer with padding removed
+ */
+function removePadding(buffer) {
+    const nbPaddingBytes = buffer.readUInt8(buffer.length - 1) + 1;
+    return reduceLength(buffer, nbPaddingBytes);
+}
+exports.removePadding = removePadding;
+/**
+ * @method verifyChunkSignature
+ *
+ *     const signer = {
+ *           signatureLength : 128,
+ *           algorithm : "RSA-SHA256",
+ *           public_key: "qsdqsdqsd"
+ *     };
+ *
+ * @param chunk  The message chunk to verify.
+ * @param options
+ * @param options.signatureLength
+ * @param options.algorithm  the algorithm.
+ * @param options.publicKey
+ * @return {*}
+ */
+function verifyChunkSignature(chunk, options) {
+    assert(chunk instanceof Buffer);
+    let signatureLength = options.signatureLength || 0;
+    if (signatureLength === 0) {
+        // let's get the signatureLength by checking the size
+        // of the certificate's public key
+        const cert = explore_certificate_1.exploreCertificateInfo(options.publicKey);
+        signatureLength = cert.publicKeyLength || 0; // 1024 bits = 128Bytes or 2048=256Bytes
+    }
+    const block_to_verify = chunk.slice(0, chunk.length - signatureLength);
+    const signature = chunk.slice(chunk.length - signatureLength);
+    return crypto_utils_1.verifyMessageChunkSignature(block_to_verify, signature, options);
+}
+exports.verifyChunkSignature = verifyChunkSignature;
+// /**
+//  * extract the public key from a certificate - using the pem module
+//  *
+//  * @method extractPublicKeyFromCertificate_WithPem
+//  * @async
+//  * @param certificate
+//  * @param callback {Function}
+//  * @param callback.err
+//  * @param callback.publicKey as pem
+//  */
+// exports.extractPublicKeyFromCertificate_WithPem = function (certificate, callback) {
+//
+//     const err1 = new Error();
+//     const cert_pem = crypto_utils.toPem(certificate, "CERTIFICATE");
+//     require("pem").getPublicKey(cert_pem, function (err, data) {
+//         if (err) {
+//             console.log(err1.stack);
+//             console.log(" CANNOT EXTRAT PUBLIC KEY from Certificate".red, certificate);
+//             return callback(err);
+//         }
+//         callback(err, data.publicKey);
+//     });
+// };
+//
+function computePaddingFooter(buffer, derivedKeys) {
+    assert(derivedKeys.hasOwnProperty("encryptingBlockSize"));
+    const paddingSize = derivedKeys.encryptingBlockSize - ((buffer.length + 1) % derivedKeys.encryptingBlockSize);
+    const padding = buffer_utils_1.createFastUninitializedBuffer(paddingSize + 1);
+    padding.fill(paddingSize);
+    return padding;
+}
+exports.computePaddingFooter = computePaddingFooter;
+function derivedKeys_algorithm(derivedKeys) {
+    assert(derivedKeys.hasOwnProperty("algorithm"));
+    const algorithm = derivedKeys.algorithm || "aes-128-cbc";
+    assert(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
+    return algorithm;
+}
+function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
+    const algorithm = derivedKeys_algorithm(derivedKeys);
+    const key = derivedKeys.encryptingKey;
+    const initVector = derivedKeys.initializationVector;
+    const cypher = crypto.createCipheriv(algorithm, key, initVector);
+    cypher.setAutoPadding(false);
+    const encrypted_chunks = [];
+    encrypted_chunks.push(cypher.update(buffer));
+    encrypted_chunks.push(cypher.final());
+    return Buffer.concat(encrypted_chunks);
+}
+exports.encryptBufferWithDerivedKeys = encryptBufferWithDerivedKeys;
+function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
+    const algorithm = derivedKeys_algorithm(derivedKeys);
+    const key = derivedKeys.encryptingKey;
+    const initVector = derivedKeys.initializationVector;
+    const cypher = crypto.createDecipheriv(algorithm, key, initVector);
+    cypher.setAutoPadding(false);
+    const decrypted_chunks = [];
+    decrypted_chunks.push(cypher.update(buffer));
+    decrypted_chunks.push(cypher.final());
+    return Buffer.concat(decrypted_chunks);
+}
+exports.decryptBufferWithDerivedKeys = decryptBufferWithDerivedKeys;
+/**
+ * @method makeMessageChunkSignatureWithDerivedKeys
+ * @param message
+ * @param derivedKeys
+ * @return
+ */
+function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
+    assert(message instanceof Buffer);
+    assert(derivedKeys.signingKey instanceof Buffer);
+    assert(typeof derivedKeys.sha1or256 === "string");
+    assert(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
+    const signature = crypto.createHmac(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
+    assert(signature.length === derivedKeys.signatureLength);
+    return signature;
+}
+exports.makeMessageChunkSignatureWithDerivedKeys = makeMessageChunkSignatureWithDerivedKeys;
+/**
+ * @method verifyChunkSignatureWithDerivedKeys
+ * @param chunk
+ * @param derivedKeys
+ * @return
+ */
+function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
+    const message = chunk.slice(0, chunk.length - derivedKeys.signatureLength);
+    const signature = chunk.slice(chunk.length - derivedKeys.signatureLength);
+    const verif = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
+    return verif.toString("hex") === signature.toString("hex");
+}
+exports.verifyChunkSignatureWithDerivedKeys = verifyChunkSignatureWithDerivedKeys;
+//# sourceMappingURL=derived_keys.js.map

package/dist/derived_keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derived_keys.js","sourceRoot":"","sources":["../lib/derived_keys.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,iCAAiC;AACjC,gCAAgC;AAEhC,iDAA+D;AAE/D,iDAAiG;AACjG,+DAA+D;AAC/D,iCAAiC;AAEjC,SAAS,SAAS,CAAC,SAA4B,EAAE,MAAc,EAAE,OAAe;IAC5E,OAAO,MAAM,CAAC,UAAU,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;AACzE,CAAC;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,IAAY;IACpC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,yDAAyD;AACzD,oGAAoG;AACpG,sGAAsG;AACtG,qGAAqG;AACrG,iFAAiF;AACjF,cAAc;AACd,qBAAqB;AACrB,mBAAmB;AACnB,oBAAoB;AACpB,mBAAmB;AACnB,IAAI;AACJ,0GAA0G;AAC1G,gBAAgB;AAChB,gGAAgG;AAChG,6EAA6E;AAC7E,kEAAkE;AAClE,8EAA8E;AAC9E,8EAA8E;AAC9E,oFAAoF;AACpF,sDAAsD;AACtD,EAAE;AACF,oFAAoF;AACpF,+EAA+E;AAC/E,8FAA8F;AAC9F,mHAAmH;AACnH,+EAA+E;AAC/E,8FAA8F;AAC9F,mHAAmH;AACnH,EAAE;AACF,qGAAqG;AACrG,wCAAwC;AACxC,6GAA6G;AAC7G,EAAE;AACF,+CAA+C;AAC/C,EAAE;AACF,6DAA6D;AAC7D,8DAA8D;AAC9D,kEAAkE;AAClE,4BAA4B;AAC5B,oBAAoB;AACpB,yCAAyC;AACzC,4EAA4E;AAC5E,mHAAmH;AACnH,EAAE;AACF,EAAE;AACF,2GAA2G;AAC3G,2EAA2E;AAC3E,SAAgB,sBAAsB,CAAC,MAAa,EAAE,IAAW,EAAE,SAAiB,EAAE,SAA4B;IAC9G,MAAM,CAAC,IAAI,YAAY,MAAM,CAAC,CAAC;IAC/B,MAAM,CAAC,SAAS,KAAK,MAAM,IAAI,SAAS,KAAK,QAAQ,CAAC,CAAC;IAEvD,MAAM,CAAC,GAAG,EAAE,CAAC;IACb,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACZ,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,MAAM,GAAG,4CAA6B,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE;QAC/B,uBAAuB;QACvB,CAAC,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;QACtD,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1E,KAAK,IAAI,CAAC,CAAC;KACd;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AACtC,CAAC;AAfD,wDAeC;AA0BD,SAAgB,kBAAkB,CAAC,MAAa,EAAE,IAAW,EAAE,OAAkC;IAC7F,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;IAC5C,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAChD,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAChD,MAAM,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC;IAC9C,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAChD,MAAM,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC;IAE9C,MAAM,OAAO,GAAG,OAAO,CAAC,gBAAgB,CAAC;IACzC,MAAM,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC;IACtD,MAAM,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAExD,MAAM,GAAG,GAAG,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAE/E,OAAO;QACH,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;QAC1C,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAEhD,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;QAE5B,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC;QACjC,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;QAC1C,oBAAoB,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC;KACtD,CAAC;AACN,CAAC;AA3BD,gDA2BC;AAED;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,MAAc,EAAE,YAAoB;IAC7D,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC;AACzD,CAAC;AAFD,oCAEC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,MAAc;IACxC,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC/D,OAAO,YAAY,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAChD,CAAC;AAHD,sCAGC;AAID;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,oBAAoB,CAAC,KAAa,EAAE,OAAoC;IACpF,MAAM,CAAC,KAAK,YAAY,MAAM,CAAC,CAAC;IAChC,IAAI,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC;IACnD,IAAI,eAAe,KAAK,CAAC,EAAE;QACvB,qDAAqD;QACrD,kCAAkC;QAClC,MAAM,IAAI,GAAG,4CAAsB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvD,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC,wCAAwC;KACxF;IACD,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;IAC9D,OAAO,0CAA2B,CAAC,eAAe,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAC5E,CAAC;AAZD,oDAYC;AAED,MAAM;AACN,sEAAsE;AACtE,KAAK;AACL,qDAAqD;AACrD,YAAY;AACZ,wBAAwB;AACxB,gCAAgC;AAChC,yBAAyB;AACzB,sCAAsC;AACtC,MAAM;AACN,uFAAuF;AACvF,EAAE;AACF,gCAAgC;AAChC,uEAAuE;AACvE,mEAAmE;AACnE,qBAAqB;AACrB,uCAAuC;AACvC,0FAA0F;AAC1F,oCAAoC;AACpC,YAAY;AACZ,yCAAyC;AACzC,UAAU;AACV,KAAK;AACL,EAAE;AAEF,SAAgB,oBAAoB,CAAC,MAAc,EAAE,WAAwB;IACzE,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,WAAW,CAAC,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,WAAW,CAAC,mBAAmB,CAAC,CAAC;IAC9G,MAAM,OAAO,GAAG,4CAA6B,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAC/D,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1B,OAAO,OAAO,CAAC;AACnB,CAAC;AAND,oDAMC;AAED,SAAS,qBAAqB,CAAC,WAAwB;IACnD,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,IAAI,aAAa,CAAC;IACzD,MAAM,CAAC,SAAS,KAAK,aAAa,IAAI,SAAS,KAAK,aAAa,CAAC,CAAC;IACnE,OAAO,SAAS,CAAC;AACrB,CAAC;AAED,SAAgB,4BAA4B,CAAC,MAAc,EAAE,WAAwB;IACjF,MAAM,SAAS,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,WAAW,CAAC,aAAa,CAAC;IACtC,MAAM,UAAU,GAAG,WAAW,CAAC,oBAAoB,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;IAEjE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC7B,MAAM,gBAAgB,GAAG,EAAE,CAAC;IAC5B,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IACtC,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAXD,oEAWC;AAED,SAAgB,4BAA4B,CAAC,MAAc,EAAE,WAAwB;IACjF,MAAM,SAAS,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,WAAW,CAAC,aAAa,CAAC;IACtC,MAAM,UAAU,GAAG,WAAW,CAAC,oBAAoB,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;IAEnE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAE7B,MAAM,gBAAgB,GAAG,EAAE,CAAC;IAC5B,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAEtC,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAbD,oEAaC;AAED;;;;;GAKG;AACH,SAAgB,wCAAwC,CAAC,OAAe,EAAE,WAAwB;IAC9F,MAAM,CAAC,OAAO,YAAY,MAAM,CAAC,CAAC;IAClC,MAAM,CAAC,WAAW,CAAC,UAAU,YAAY,MAAM,CAAC,CAAC;IACjD,MAAM,CAAC,OAAO,WAAW,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC;IAClD,MAAM,CAAC,WAAW,CAAC,SAAS,KAAK,MAAM,IAAI,WAAW,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC;IAC/E,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,SAAS,EAAE,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAC5G,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,WAAW,CAAC,eAAe,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC;AACrB,CAAC;AARD,4FAQC;AAED;;;;;GAKG;AACH,SAAgB,mCAAmC,CAAC,KAAa,EAAE,WAAwB;IACvF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,eAAe,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,eAAe,CAAC,CAAC;IAC1E,MAAM,KAAK,GAAG,wCAAwC,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC7E,OAAO,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC/D,CAAC;AALD,kFAKC"}

package/dist/explore_certificate.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @module node_opcua_crypto
+ */
+/// <reference types="node" />
+import { Certificate, CertificatePEM } from "./common";
+import { DirectoryName } from "./asn1";
+export declare type PublicKeyLength = 128 | 256 | 384 | 512;
+/**
+ * A structure exposing useful information about a certificate
+ */
+export interface CertificateInfo {
+    /** the public key length in bits */
+    publicKeyLength: PublicKeyLength;
+    /** the date at which the certificate starts to be valid */
+    notBefore: Date;
+    /** the date after which the certificate is not valid any more */
+    notAfter: Date;
+    /** info about certificate owner */
+    subject: DirectoryName;
+    /** public key */
+    publicKey: Buffer;
+}
+export declare function coerceCertificate(certificate: Certificate | CertificatePEM): Certificate;
+/**
+ * @method exploreCertificateInfo
+ * returns useful information about the certificate such as public key length, start date and end of validity date,
+ * and CN
+ * @param certificate the certificate to explore
+ */
+export declare function exploreCertificateInfo(certificate: Certificate | CertificatePEM): CertificateInfo;

package/dist/explore_certificate.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * @module node_opcua_crypto
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exploreCertificateInfo = exports.coerceCertificate = void 0;
+const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
+const crypto_utils_1 = require("./crypto_utils");
+const assert = require("assert");
+function coerceCertificate(certificate) {
+    if (typeof certificate === "string") {
+        certificate = crypto_utils_1.convertPEMtoDER(certificate);
+    }
+    assert(certificate instanceof Buffer);
+    return certificate;
+}
+exports.coerceCertificate = coerceCertificate;
+/**
+ * @method exploreCertificateInfo
+ * returns useful information about the certificate such as public key length, start date and end of validity date,
+ * and CN
+ * @param certificate the certificate to explore
+ */
+function exploreCertificateInfo(certificate) {
+    certificate = coerceCertificate(certificate);
+    const certInfo = crypto_explore_certificate_1.exploreCertificate(certificate);
+    const data = {
+        publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
+        notBefore: certInfo.tbsCertificate.validity.notBefore,
+        notAfter: certInfo.tbsCertificate.validity.notAfter,
+        publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
+        subject: certInfo.tbsCertificate.subject,
+    };
+    // istanbul ignore next
+    if (!(data.publicKeyLength === 512 ||
+        data.publicKeyLength === 384 ||
+        data.publicKeyLength === 256 ||
+        data.publicKeyLength === 128)) {
+        throw new Error("Invalid public key length (expecting 128,256,384 or 512)" + data.publicKeyLength);
+    }
+    return data;
+}
+exports.exploreCertificateInfo = exploreCertificateInfo;
+//# sourceMappingURL=explore_certificate.js.map

package/dist/explore_certificate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explore_certificate.js","sourceRoot":"","sources":["../lib/explore_certificate.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAGH,6EAAwF;AAExF,iDAAiD;AACjD,iCAAiC;AAoBjC,SAAgB,iBAAiB,CAAC,WAAyC;IACvE,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE;QACjC,WAAW,GAAG,8BAAe,CAAC,WAAW,CAAC,CAAC;KAC9C;IACD,MAAM,CAAC,WAAW,YAAY,MAAM,CAAC,CAAC;IACtC,OAAO,WAAW,CAAC;AACvB,CAAC;AAND,8CAMC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,WAAyC;IAC5E,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;IAE7C,MAAM,QAAQ,GAAG,+CAAkB,CAAC,WAAW,CAAC,CAAC;IACjD,MAAM,IAAI,GAAoB;QAC1B,eAAe,EAAE,QAAQ,CAAC,cAAc,CAAC,oBAAoB,CAAC,SAAS;QACvE,SAAS,EAAE,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,SAAS;QACrD,QAAQ,EAAE,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,QAAQ;QACnD,SAAS,EAAE,QAAQ,CAAC,cAAc,CAAC,oBAAoB,CAAC,gBAAgB;QACxE,OAAO,EAAE,QAAQ,CAAC,cAAc,CAAC,OAAO;KAC3C,CAAC;IACF,uBAAuB;IACvB,IACI,CAAC,CACG,IAAI,CAAC,eAAe,KAAK,GAAG;QAC5B,IAAI,CAAC,eAAe,KAAK,GAAG;QAC5B,IAAI,CAAC,eAAe,KAAK,GAAG;QAC5B,IAAI,CAAC,eAAe,KAAK,GAAG,CAC/B,EACH;QACE,MAAM,IAAI,KAAK,CAAC,0DAA0D,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;KACtG;IACD,OAAO,IAAI,CAAC;AAChB,CAAC;AAvBD,wDAuBC"}

package/dist/explore_certificate_revocation_list.d.ts

@@ -0,0 +1,30 @@
+/// <reference types="node" />
+import { AlgorithmIdentifier, BlockInfo, DirectoryName } from "./asn1";
+export declare type Version = string;
+export declare type Name = string;
+export declare type CertificateSerialNumber = string;
+export interface Extensions {
+}
+export interface RevokedCertificate {
+    userCertificate: CertificateSerialNumber;
+    revocationDate: Date;
+    crlEntryExtensions?: Extensions;
+}
+export interface TBSCertList {
+    version?: Version;
+    signature: AlgorithmIdentifier;
+    issuer: Name;
+    issuerFingerprint: string;
+    thisUpdate: Date;
+    nextUpdate?: Date;
+    revokedCertificates: RevokedCertificate[];
+}
+export interface CertificateRevocationListInfo {
+    tbsCertList: TBSCertList;
+    signatureAlgorithm: AlgorithmIdentifier;
+    signatureValue: Buffer;
+}
+export declare function readNameForCrl(buffer: Buffer, block: BlockInfo): DirectoryName;
+export declare type CertificateRevocationList = Buffer;
+export declare function readCertificateRevocationList(filename: string): Promise<CertificateRevocationList>;
+export declare function exploreCertificateRevocationList(crl: CertificateRevocationList): CertificateRevocationListInfo;

package/dist/explore_certificate_revocation_list.js

@@ -0,0 +1,67 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exploreCertificateRevocationList = exports.readCertificateRevocationList = exports.readNameForCrl = void 0;
+const fs = require("fs");
+const util_1 = require("util");
+const asn1_1 = require("./asn1");
+const crypto_utils_1 = require("./crypto_utils");
+function readNameForCrl(buffer, block) {
+    return asn1_1._readDirectoryName(buffer, block);
+}
+exports.readNameForCrl = readNameForCrl;
+function _readTbsCertList(buffer, blockInfo) {
+    const blocks = asn1_1._readStruct(buffer, blockInfo);
+    const version = asn1_1._readIntegerValue(buffer, blocks[0]);
+    const signature = asn1_1._readAlgorithmIdentifier(buffer, blocks[1]);
+    const issuer = readNameForCrl(buffer, blocks[2]);
+    const issuerFingerprint = asn1_1.formatBuffer2DigetHexWithColum(crypto_utils_1.makeSHA1Thumbprint(asn1_1._getBlock(buffer, blocks[2])));
+    const thisUpdate = asn1_1._readTime(buffer, blocks[3]);
+    const nextUpdate = asn1_1._readTime(buffer, blocks[4]);
+    const revokedCertificates = [];
+    if (blocks[5] && blocks[5].tag < 0x80) {
+        const list = asn1_1._readStruct(buffer, blocks[5]);
+        for (const r of list) {
+            // sometime blocks[5] doesn't exits .. in this case
+            const rr = asn1_1._readStruct(buffer, r);
+            const userCertificate = asn1_1.formatBuffer2DigetHexWithColum(asn1_1._readLongIntegerValue(buffer, rr[0]));
+            const revocationDate = asn1_1._readTime(buffer, rr[1]);
+            revokedCertificates.push({
+                revocationDate,
+                userCertificate,
+            });
+        }
+    }
+    const ext0 = asn1_1._findBlockAtIndex(blocks, 0);
+    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
+}
+function readCertificateRevocationList(filename) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const crl = yield util_1.promisify(fs.readFile)(filename);
+        if (crl[0] === 0x30 && crl[1] === 0x82) {
+            // der format
+            return crl;
+        }
+        const raw_crl = crl.toString();
+        return crypto_utils_1.convertPEMtoDER(raw_crl);
+    });
+}
+exports.readCertificateRevocationList = readCertificateRevocationList;
+function exploreCertificateRevocationList(crl) {
+    const blockInfo = asn1_1.readTag(crl, 0);
+    const blocks = asn1_1._readStruct(crl, blockInfo);
+    const tbsCertList = _readTbsCertList(crl, blocks[0]);
+    const signatureAlgorithm = asn1_1._readAlgorithmIdentifier(crl, blocks[1]);
+    const signatureValue = asn1_1._readSignatureValueBin(crl, blocks[2]);
+    return { tbsCertList, signatureAlgorithm, signatureValue };
+}
+exports.exploreCertificateRevocationList = exploreCertificateRevocationList;
+//# sourceMappingURL=explore_certificate_revocation_list.js.map

package/dist/explore_certificate_revocation_list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explore_certificate_revocation_list.js","sourceRoot":"","sources":["../lib/explore_certificate_revocation_list.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yBAAyB;AAGzB,+BAAiC;AACjC,iCAmBgB;AAChB,iDAAqE;AA4BrE,SAAgB,cAAc,CAAC,MAAc,EAAE,KAAgB;IAC3D,OAAO,yBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC7C,CAAC;AAFD,wCAEC;AAED,SAAS,gBAAgB,CAAC,MAAc,EAAE,SAAoB;IAC1D,MAAM,MAAM,GAAG,kBAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAE9C,MAAM,OAAO,GAAG,wBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,+BAAwB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,MAAM,iBAAiB,GAAG,qCAA8B,CAAC,iCAAkB,CAAC,gBAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3G,MAAM,UAAU,GAAG,gBAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,gBAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhD,MAAM,mBAAmB,GAAyB,EAAE,CAAC;IAErD,IAAI,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,EAAE;QACnC,MAAM,IAAI,GAAG,kBAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE;YAClB,mDAAmD;YACnD,MAAM,EAAE,GAAG,kBAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAClC,MAAM,eAAe,GAAG,qCAA8B,CAAC,4BAAqB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7F,MAAM,cAAc,GAAG,gBAAS,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,mBAAmB,CAAC,IAAI,CAAC;gBACrB,cAAc;gBACd,eAAe;aAClB,CAAC,CAAC;SACN;KACJ;IAED,MAAM,IAAI,GAAG,wBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE1C,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,mBAAmB,EAAiB,CAAC;AAChH,CAAC;AAID,SAAsB,6BAA6B,CAAC,QAAgB;;QAChE,MAAM,GAAG,GAAG,MAAM,gBAAS,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE;YACpC,aAAa;YACb,OAAO,GAAgC,CAAC;SAC3C;QACD,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC/B,OAAO,8BAAe,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;CAAA;AARD,sEAQC;AACD,SAAgB,gCAAgC,CAAC,GAA8B;IAC3E,MAAM,SAAS,GAAG,cAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,kBAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,kBAAkB,GAAG,+BAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,6BAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,cAAc,EAAE,CAAC;AAC/D,CAAC;AAPD,4EAOC"}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @module node_opcua_crypto
+ */
+export * from "./common";
+export * from "./derived_keys";
+export * from "./explore_certificate";
+export * from "./crypto_utils";
+export * from "./crypto_explore_certificate";
+export * from "./verify_cerficate_signature";
+export * from "./explore_certificate_revocation_list";

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !exports.hasOwnProperty(p)) __createBinding(exports, m, p);
+}
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * @module node_opcua_crypto
+ */
+__exportStar(require("./common"), exports);
+__exportStar(require("./derived_keys"), exports);
+__exportStar(require("./explore_certificate"), exports);
+__exportStar(require("./crypto_utils"), exports);
+__exportStar(require("./crypto_explore_certificate"), exports);
+__exportStar(require("./verify_cerficate_signature"), exports);
+__exportStar(require("./explore_certificate_revocation_list"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;GAEG;AACH,2CAAyB;AACzB,iDAA+B;AAC/B,wDAAsC;AACtC,iDAA+B;AAC/B,+DAA6C;AAC7C,+DAA6C;AAC7C,wEAAsD"}

package/dist/oid_map.d.ts

@@ -0,0 +1,7 @@
+export declare const oid_map: {
+    [key: string]: {
+        d: string;
+        c: string;
+        w?: boolean;
+    };
+};