node-opcua-crypto 2.1.1 → 2.2.0

package/source/verify_certificate_signature.ts

@@ -1,105 +1,105 @@
-// tslint:disable: no-console
-
-// Now that we got a hash of the original certificate,
-// we need to verify if we can obtain the same hash by using the same hashing function
-// (in this case SHA-384). In order to do that, we need to extract just the body of
-// the signed certificate. Which, in our case, is everything but the signature.
-// The start of the body is always the first digit of the second line of the following command:
-import * as crypto from "crypto";
-
-import { Certificate, PrivateKey } from "./common";
-import { split_der, exploreCertificate } from "./crypto_explore_certificate";
-import { toPem } from "./crypto_utils";
-import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
-
-export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
-    const block_info = readTag(certificateOrCrl, 0);
-    const blocks = _readStruct(certificateOrCrl, block_info);
-    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
-
-    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
-    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
-
-    const p = split_der(parentCertificate)[0];
-    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
-    const certPem = toPem(p, "CERTIFICATE");
-    const verify = crypto.createVerify(signatureAlgorithm.identifier);
-    verify.update(bufferToBeSigned);
-    verify.end();
-    return verify.verify(certPem, signatureValue);
-}
-
-export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
-    return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-export function verifyCertificateRevocationListSignature(
-    certificateRevocationList: Certificate,
-    parentCertificate: Certificate
-): boolean {
-    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-
-export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
-export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
-    // verify that all the certificate
-    // second certificate must be used for CertificateSign
-
-    for (let index = 1; index < certificateChain.length; index++) {
-        const cert = certificateChain[index - 1];
-        const certParent = certificateChain[index];
-
-        // parent child must have keyCertSign
-        const certParentInfo = exploreCertificate(certParent);
-        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
-
-        // istanbul ignore next
-        if (!keyUsage.keyCertSign) {
-            return {
-                status: "BadCertificateIssuerUseNotAllowed",
-                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
-            };
-        }
-
-        const parentSignChild = verifyCertificateSignature(cert, certParent);
-        if (!parentSignChild) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "One of the certificate in the chain is not signing the previous certificate",
-            };
-        }
-        const certInfo = exploreCertificate(cert);
-
-        // istanbul ignore next
-        if (!certInfo.tbsCertificate.extensions) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate",
-            };
-        }
-
-        // istanbul ignore next
-        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate (parent)",
-            };
-        }
-
-        // istanbul ignore next
-        if (
-            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
-            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
-        ) {
-            return {
-                status: "BadCertificateInvalid",
-                reason:
-                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
-            };
-        }
-    }
-    return {
-        status: "Good",
-        reason: `certificate chain is valid(length = ${certificateChain.length})`,
-    };
-}
+// tslint:disable: no-console
+
+// Now that we got a hash of the original certificate,
+// we need to verify if we can obtain the same hash by using the same hashing function
+// (in this case SHA-384). In order to do that, we need to extract just the body of
+// the signed certificate. Which, in our case, is everything but the signature.
+// The start of the body is always the first digit of the second line of the following command:
+import * as crypto from "crypto";
+
+import { Certificate, PrivateKey } from "./common";
+import { split_der, exploreCertificate } from "./crypto_explore_certificate";
+import { toPem } from "./crypto_utils";
+import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
+
+export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
+    const block_info = readTag(certificateOrCrl, 0);
+    const blocks = _readStruct(certificateOrCrl, block_info);
+    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
+
+    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
+    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
+
+    const p = split_der(parentCertificate)[0];
+    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
+    const certPem = toPem(p, "CERTIFICATE");
+    const verify = crypto.createVerify(signatureAlgorithm.identifier);
+    verify.update(bufferToBeSigned);
+    verify.end();
+    return verify.verify(certPem, signatureValue);
+}
+
+export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
+    return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+export function verifyCertificateRevocationListSignature(
+    certificateRevocationList: Certificate,
+    parentCertificate: Certificate
+): boolean {
+    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+
+export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
+export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
+    // verify that all the certificate
+    // second certificate must be used for CertificateSign
+
+    for (let index = 1; index < certificateChain.length; index++) {
+        const cert = certificateChain[index - 1];
+        const certParent = certificateChain[index];
+
+        // parent child must have keyCertSign
+        const certParentInfo = exploreCertificate(certParent);
+        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
+
+        // istanbul ignore next
+        if (!keyUsage.keyCertSign) {
+            return {
+                status: "BadCertificateIssuerUseNotAllowed",
+                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
+            };
+        }
+
+        const parentSignChild = verifyCertificateSignature(cert, certParent);
+        if (!parentSignChild) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "One of the certificate in the chain is not signing the previous certificate",
+            };
+        }
+        const certInfo = exploreCertificate(cert);
+
+        // istanbul ignore next
+        if (!certInfo.tbsCertificate.extensions) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate",
+            };
+        }
+
+        // istanbul ignore next
+        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate (parent)",
+            };
+        }
+
+        // istanbul ignore next
+        if (
+            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
+            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
+        ) {
+            return {
+                status: "BadCertificateInvalid",
+                reason:
+                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
+            };
+        }
+    }
+    return {
+        status: "Good",
+        reason: `certificate chain is valid(length = ${certificateChain.length})`,
+    };
+}

package/source_nodejs/index.ts

@@ -1,3 +1,3 @@
-export * from "./read";
-export * from "./read_certificate_revocation_list";
+export * from "./read";
+export * from "./read_certificate_revocation_list";
 export * from "./read_certificate_signing_request";

package/source_nodejs/read_certificate_revocation_list.ts

@@ -1,14 +1,14 @@
-import * as fs from "fs";
-import { promisify } from "util";
-import { convertPEMtoDER } from "../source/crypto_utils";
-import { CertificateRevocationList } from "../source/common";
-
-export async function readCertificateRevocationList(filename: string): Promise<CertificateRevocationList> {
-    const crl = await promisify(fs.readFile)(filename);
-    if (crl[0] === 0x30 && crl[1] === 0x82) {
-        // der format
-        return crl as CertificateRevocationList;
-    }
-    const raw_crl = crl.toString();
-    return convertPEMtoDER(raw_crl);
-}
+import * as fs from "fs";
+import { promisify } from "util";
+import { convertPEMtoDER } from "../source/crypto_utils";
+import { CertificateRevocationList } from "../source/common";
+
+export async function readCertificateRevocationList(filename: string): Promise<CertificateRevocationList> {
+    const crl = await promisify(fs.readFile)(filename);
+    if (crl[0] === 0x30 && crl[1] === 0x82) {
+        // der format
+        return crl as CertificateRevocationList;
+    }
+    const raw_crl = crl.toString();
+    return convertPEMtoDER(raw_crl);
+}

package/source_nodejs/read_certificate_signing_request.ts

@@ -1,17 +1,17 @@
-import * as fs from "fs";
-import { promisify } from "util";
-import { convertPEMtoDER } from "../source/crypto_utils";
-import { CertificateRevocationList } from "../source/common";
-import { assert } from "console";
-
-export type CertificateSigningRequest = Buffer;
-
-export async function readCertificateSigningRequest(filename: string): Promise<CertificateSigningRequest> {
-    const csr = await promisify(fs.readFile)(filename);
-    if (csr[0] === 0x30 && csr[1] === 0x82) {
-        // der format
-        return csr as CertificateRevocationList;
-    }
-    const raw_crl = csr.toString();
-    return convertPEMtoDER(raw_crl);
-}
+import * as fs from "fs";
+import { promisify } from "util";
+import { convertPEMtoDER } from "../source/crypto_utils";
+import { CertificateRevocationList } from "../source/common";
+import { assert } from "console";
+
+export type CertificateSigningRequest = Buffer;
+
+export async function readCertificateSigningRequest(filename: string): Promise<CertificateSigningRequest> {
+    const csr = await promisify(fs.readFile)(filename);
+    if (csr[0] === 0x30 && csr[1] === 0x82) {
+        // der format
+        return csr as CertificateRevocationList;
+    }
+    const raw_crl = csr.toString();
+    return convertPEMtoDER(raw_crl);
+}

package/test_certificate.ts

@@ -1,34 +1,34 @@
-// tslint:disable: no-console
-import * as fs from "fs";
-import { exploreCertificate, readCertificate } from ".";
-
-async function testCertificate(filename: string): Promise<void> {
-    const cert1 = await readCertificate(filename);
-    try {
-        const info = exploreCertificate(cert1);
-        //        console.log(info);
-    } catch (err) {
-        console.log(filename, "err = ", err.message);
-    }
-}
-async function testCertificate1(filename: string): Promise<void> {
-    const cert1 = fs.readFileSync(filename);
-    try {
-        const info = exploreCertificate(cert1);
-        //        console.log(info);
-    } catch (err) {
-        console.log(filename, "err = ", err.message);
-        console.log(err);
-        throw err;
-    }
-}
-
-(async () => {
-    try {
-        testCertificate1("./read.cer");
-        testCertificate1("./unsol.cer");
-        testCertificate1("./write.cer");
-    } catch (err) {
-        console.log("???? ERR !!!! ", err.message);
-    }
-})();
+// tslint:disable: no-console
+import * as fs from "fs";
+import { exploreCertificate, readCertificate } from ".";
+
+async function testCertificate(filename: string): Promise<void> {
+    const cert1 = await readCertificate(filename);
+    try {
+        const info = exploreCertificate(cert1);
+        //        console.log(info);
+    } catch (err) {
+        console.log(filename, "err = ", err.message);
+    }
+}
+async function testCertificate1(filename: string): Promise<void> {
+    const cert1 = fs.readFileSync(filename);
+    try {
+        const info = exploreCertificate(cert1);
+        //        console.log(info);
+    } catch (err) {
+        console.log(filename, "err = ", err.message);
+        console.log(err);
+        throw err;
+    }
+}
+
+(async () => {
+    try {
+        testCertificate1("./read.cer");
+        testCertificate1("./unsol.cer");
+        testCertificate1("./write.cer");
+    } catch (err) {
+        console.log("???? ERR !!!! ", err.message);
+    }
+})();

package/tsconfig.json

@@ -1,18 +1,18 @@
-{
-    "compilerOptions": {
-        "skipLibCheck": true,
-        "target": "es6",
-        "moduleResolution": "node",
-        "module": "commonjs",
-        "declaration": true,
-        "outDir": "./dist",
-        "sourceMap": true,
-        "strict": true,
-        "listFiles": false,
-        "traceResolution": false,
-        "incremental": true,
-        "types": ["node", "mocha", "should"],
-        "rootDir": "."
-    },
-    "files": ["source/index.ts", "source_nodejs/index.ts"]
-}
+{
+    "compilerOptions": {
+        "skipLibCheck": true,
+        "target": "es6",
+        "moduleResolution": "node",
+        "module": "commonjs",
+        "declaration": true,
+        "outDir": "./dist",
+        "sourceMap": true,
+        "strict": true,
+        "listFiles": false,
+        "traceResolution": false,
+        "incremental": true,
+        "types": ["node", "mocha", "should"],
+        "rootDir": "."
+    },
+    "files": ["source/index.ts", "source_nodejs/index.ts"]
+}

package/tslint.json

@@ -1,35 +1,35 @@
-{
-  "extends": [
-    "tslint:recommended",
-    "tslint-config-prettier"
-  ],
-  "jsRules": {},
-  "rules": {
-    "interface-name": [
-      false,
-      "never-prefix"
-    ],
-    "interface-over-type-literal": true,
-    "variable-name": [
-      true,
-      "ban-keywords",
-      "allow-leading-underscore"
-    ],
-    "trailing-comma": [
-      false
-    ],
-    "object-literal-sort-keys": false,
-    "comment-format": [
-      false
-    ],
-    "no-var-requires": false,
-    "max-line-length": [
-      false,
-      120
-    ],
-    "one-variable-per-declaration": [
-      false
-    ]
-  },
-  "rulesDirectory": []
+{
+  "extends": [
+    "tslint:recommended",
+    "tslint-config-prettier"
+  ],
+  "jsRules": {},
+  "rules": {
+    "interface-name": [
+      false,
+      "never-prefix"
+    ],
+    "interface-over-type-literal": true,
+    "variable-name": [
+      true,
+      "ban-keywords",
+      "allow-leading-underscore"
+    ],
+    "trailing-comma": [
+      false
+    ],
+    "object-literal-sort-keys": false,
+    "comment-format": [
+      false
+    ],
+    "no-var-requires": false,
+    "max-line-length": [
+      false,
+      120
+    ],
+    "one-variable-per-declaration": [
+      false
+    ]
+  },
+  "rulesDirectory": []
 }

package/dist/source/certificate_matches_private_key.d.ts

@@ -1,2 +0,0 @@
-import { Certificate, PrivateKey } from "./common";
-export declare function certificateMatchesPrivateKey(certificate: Certificate, privateKey: PrivateKey): boolean;

package/dist/source/certificate_matches_private_key.js

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.certificateMatchesPrivateKey = void 0;
-const crypto_utils_1 = require("./crypto_utils");
-/**
- * check that the given certificate matches the given private key
- * @param certificate
- * @param privateKey
- */
-function certificateMatchesPrivateKeyPEM(certificate, privateKey) {
-    const initialBuffer = Buffer.from("Lorem Ipsum");
-    const encryptedBuffer = (0, crypto_utils_1.publicEncrypt_long)(initialBuffer, certificate, 256, 11);
-    const decryptedBuffer = (0, crypto_utils_1.privateDecrypt_long)(encryptedBuffer, privateKey, 256);
-    return initialBuffer.toString("utf-8") === decryptedBuffer.toString("utf-8");
-}
-function certificateMatchesPrivateKey(certificate, privateKey) {
-    const certificatePEM = (0, crypto_utils_1.toPem)(certificate, "CERTIFICATE");
-    const privateKeyPEM = (0, crypto_utils_1.toPem)(privateKey, "RSA PRIVATE KEY");
-    return certificateMatchesPrivateKeyPEM(certificatePEM, privateKeyPEM);
-}
-exports.certificateMatchesPrivateKey = certificateMatchesPrivateKey;
-//# sourceMappingURL=certificate_matches_private_key.js.map

package/dist/source/certificate_matches_private_key.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"certificate_matches_private_key.js","sourceRoot":"","sources":["../../source/certificate_matches_private_key.ts"],"names":[],"mappings":";;;AACA,iDAAgF;AAEhF;;;;GAIG;AACH,SAAS,+BAA+B,CAAC,WAA2B,EAAE,UAAyB;IAC3F,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACjD,MAAM,eAAe,GAAG,IAAA,iCAAkB,EAAC,aAAa,EAAE,WAAW,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAChF,MAAM,eAAe,GAAG,IAAA,kCAAmB,EAAC,eAAe,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC9E,OAAO,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjF,CAAC;AAED,SAAgB,4BAA4B,CAAC,WAAwB,EAAE,UAAsB;IACzF,MAAM,cAAc,GAAG,IAAA,oBAAK,EAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,IAAA,oBAAK,EAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAC3D,OAAO,+BAA+B,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;AAC1E,CAAC;AAJD,oEAIC"}