node-opcua-crypto 2.1.2 → 3.0.0-beta.0

package/dist/source/public_private_match.d.ts

@@ -1,3 +1,3 @@
-import { Certificate, PrivateKey } from "./common";
-export declare function publicKeyAndPrivateKeyMatches(certificate: Certificate, privateKey: PrivateKey): boolean;
-export declare function certificateMatchesPrivateKey(certificate: Certificate, privateKey: PrivateKey): boolean;
+import { Certificate, PrivateKey } from "./common";
+export declare function publicKeyAndPrivateKeyMatches(certificate: Certificate, privateKey: PrivateKey): boolean;
+export declare function certificateMatchesPrivateKey(certificate: Certificate, privateKey: PrivateKey): boolean;

package/dist/source/public_private_match.js

@@ -1,37 +1,37 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.certificateMatchesPrivateKey = exports.publicKeyAndPrivateKeyMatches = void 0;
-const explore_private_key_1 = require("./explore_private_key");
-const crypto_utils_1 = require("./crypto_utils");
-const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
-function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
-    const i = (0, crypto_explore_certificate_1.exploreCertificate)(certificate);
-    const j = (0, explore_private_key_1.explorePrivateKey)(privateKey);
-    const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
-    const modulus2 = j.modulus;
-    if (modulus1.length != modulus2.length) {
-        return false;
-    }
-    return modulus1.toString("hex") === modulus2.toString("hex");
-}
-exports.publicKeyAndPrivateKeyMatches = publicKeyAndPrivateKeyMatches;
-/**
- * check that the given certificate matches the given private key
- * @param certificate
- * @param privateKey
- */
-function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
-    const initialBuffer = Buffer.from("Lorem Ipsum");
-    const encryptedBuffer = (0, crypto_utils_1.publicEncrypt_long)(initialBuffer, certificate, blockSize, 11);
-    const decryptedBuffer = (0, crypto_utils_1.privateDecrypt_long)(encryptedBuffer, privateKey, blockSize);
-    const finalString = decryptedBuffer.toString("utf-8");
-    return initialBuffer.toString("utf-8") === finalString;
-}
-function certificateMatchesPrivateKey(certificate, privateKey) {
-    const e = (0, explore_private_key_1.explorePrivateKey)(privateKey);
-    const blockSize = e.modulus.length;
-    const certificatePEM = (0, crypto_utils_1.toPem)(certificate, "CERTIFICATE");
-    return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
-}
-exports.certificateMatchesPrivateKey = certificateMatchesPrivateKey;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.certificateMatchesPrivateKey = exports.publicKeyAndPrivateKeyMatches = void 0;
+const explore_private_key_1 = require("./explore_private_key");
+const crypto_utils_1 = require("./crypto_utils");
+const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
+function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
+    const i = (0, crypto_explore_certificate_1.exploreCertificate)(certificate);
+    const j = (0, explore_private_key_1.explorePrivateKey)(privateKey);
+    const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
+    const modulus2 = j.modulus;
+    if (modulus1.length != modulus2.length) {
+        return false;
+    }
+    return modulus1.toString("hex") === modulus2.toString("hex");
+}
+exports.publicKeyAndPrivateKeyMatches = publicKeyAndPrivateKeyMatches;
+/**
+ * check that the given certificate matches the given private key
+ * @param certificate
+ * @param privateKey
+ */
+function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
+    const initialBuffer = Buffer.from("Lorem Ipsum");
+    const encryptedBuffer = (0, crypto_utils_1.publicEncrypt_long)(initialBuffer, certificate, blockSize, 11);
+    const decryptedBuffer = (0, crypto_utils_1.privateDecrypt_long)(encryptedBuffer, privateKey, blockSize);
+    const finalString = decryptedBuffer.toString("utf-8");
+    return initialBuffer.toString("utf-8") === finalString;
+}
+function certificateMatchesPrivateKey(certificate, privateKey) {
+    const e = (0, explore_private_key_1.explorePrivateKey)(privateKey);
+    const blockSize = e.modulus.length;
+    const certificatePEM = (0, crypto_utils_1.toPem)(certificate, "CERTIFICATE");
+    return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
+}
+exports.certificateMatchesPrivateKey = certificateMatchesPrivateKey;
 //# sourceMappingURL=public_private_match.js.map

package/dist/source/subject.d.ts

@@ -0,0 +1,27 @@
+export interface SubjectOptions {
+    commonName?: string;
+    organization?: string;
+    organizationalUnit?: string;
+    locality?: string;
+    state?: string;
+    country?: string;
+    domainComponent?: string;
+}
+/**
+ * subjectName	The subject name to use for the Certificate.
+ * If not specified the ApplicationName and/or domainNames are used to create a suitable default value.
+ */
+export declare class Subject implements SubjectOptions {
+    readonly commonName?: string;
+    readonly organization?: string;
+    readonly organizationalUnit?: string;
+    readonly locality?: string;
+    readonly state?: string;
+    readonly country?: string;
+    readonly domainComponent?: string;
+    constructor(options: SubjectOptions | string);
+    static parse(str: string): SubjectOptions;
+    toStringInternal(sep: string): string;
+    toStringForOPCUA(): string;
+    toString(): string;
+}

package/dist/source/subject.js

@@ -0,0 +1,125 @@
+"use strict";
+// ---------------------------------------------------------------------------------------------------------------------
+// node-opcua-pki
+// ---------------------------------------------------------------------------------------------------------------------
+// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
+// Copyright (c) 2022 - Sterfive.com
+// ---------------------------------------------------------------------------------------------------------------------
+//
+// This  project is licensed under the terms of the MIT license.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+// Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+// ---------------------------------------------------------------------------------------------------------------------
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Subject = void 0;
+const _keys = {
+    C: "country",
+    CN: "commonName",
+    DC: "domainComponent",
+    L: "locality",
+    O: "organization",
+    OU: "organizationalUnit",
+    ST: "state",
+};
+const enquoteIfNecessary = (str) => {
+    str = str.replace(/"/g, "”");
+    return str.match(/\/|=/) ? `"${str}"` : str;
+};
+const unquote = (str) => str.replace(/"/gm, "");
+const unquote2 = (str) => {
+    if (!str)
+        return str;
+    const m = str.match(/^"(.*)"$/);
+    return m ? m[1] : str;
+};
+/**
+ * subjectName	The subject name to use for the Certificate.
+ * If not specified the ApplicationName and/or domainNames are used to create a suitable default value.
+ */
+class Subject {
+    constructor(options) {
+        if (typeof options === "string") {
+            options = Subject.parse(options);
+        }
+        this.commonName = unquote2(options.commonName);
+        this.organization = unquote2(options.organization);
+        this.organizationalUnit = unquote2(options.organizationalUnit);
+        this.locality = unquote2(options.locality);
+        this.state = unquote2(options.state);
+        this.country = unquote2(options.country);
+        this.domainComponent = unquote2(options.domainComponent);
+    }
+    static parse(str) {
+        const elements = str.split(/\/(?=[^/]*?=)/);
+        const options = {};
+        elements.forEach((element) => {
+            if (element.length === 0) {
+                return;
+            }
+            const s = element.split("=");
+            if (s.length !== 2) {
+                throw new Error("invalid format for " + element);
+            }
+            const longName = _keys[s[0]];
+            if (!longName) {
+                throw new Error("Invalid field found in subject name " + s[0]);
+            }
+            const value = s[1];
+            options[longName] = unquote(Buffer.from(value, "ascii").toString("utf8"));
+        });
+        return options;
+    }
+    toStringInternal(sep) {
+        // https://reference.opcfoundation.org/v104/GDS/docs/7.6.4/
+        // The format of the subject name is a sequence of name value pairs separated by a ‘/’.
+        // The name shall be one of ‘CN’, ‘O’, ‘OU’, ‘DC’, ‘L’, ‘S’ or ‘C’ and
+        // shall be followed by a ‘=’ and then followed by the value.
+        // The value may be any printable character except for ‘”’.
+        // If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’).
+        const tmp = [];
+        if (this.country) {
+            tmp.push("C=" + enquoteIfNecessary(this.country));
+        }
+        if (this.state) {
+            tmp.push("ST=" + enquoteIfNecessary(this.state));
+        }
+        if (this.locality) {
+            tmp.push("L=" + enquoteIfNecessary(this.locality));
+        }
+        if (this.organization) {
+            tmp.push("O=" + enquoteIfNecessary(this.organization));
+        }
+        if (this.organizationalUnit) {
+            tmp.push("OU=" + enquoteIfNecessary(this.organizationalUnit));
+        }
+        if (this.commonName) {
+            tmp.push("CN=" + enquoteIfNecessary(this.commonName));
+        }
+        if (this.domainComponent) {
+            tmp.push("DC=" + enquoteIfNecessary(this.domainComponent));
+        }
+        return tmp.join(sep);
+    }
+    toStringForOPCUA() {
+        return this.toStringInternal("/");
+    }
+    toString() {
+        // standard for SSL is to have a / in front of each Field
+        // see https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
+        const t = this.toStringForOPCUA();
+        return t ? "/" + t : t;
+    }
+}
+exports.Subject = Subject;
+//# sourceMappingURL=subject.js.map

package/dist/source/subject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subject.js","sourceRoot":"","sources":["../../source/subject.ts"],"names":[],"mappings":";AAAA,wHAAwH;AACxH,iBAAiB;AACjB,wHAAwH;AACxH,gFAAgF;AAChF,oCAAoC;AACpC,wHAAwH;AACxH,EAAE;AACF,gEAAgE;AAChE,EAAE;AACF,+GAA+G;AAC/G,sHAAsH;AACtH,kHAAkH;AAClH,mGAAmG;AACnG,EAAE;AACF,uHAAuH;AACvH,YAAY;AACZ,EAAE;AACF,uHAAuH;AACvH,wHAAwH;AACxH,mHAAmH;AACnH,mHAAmH;AACnH,wHAAwH;;;AAYxH,MAAM,KAAK,GAAG;IACV,CAAC,EAAE,SAAS;IACZ,EAAE,EAAE,YAAY;IAChB,EAAE,EAAE,iBAAiB;IACrB,CAAC,EAAE,UAAU;IACb,CAAC,EAAE,cAAc;IACjB,EAAE,EAAE,oBAAoB;IACxB,EAAE,EAAE,OAAO;CACd,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,GAAW,EAAE,EAAE;IACvC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AAChD,CAAC,CAAC;AACF,MAAM,OAAO,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxD,MAAM,QAAQ,GAAG,CAAC,GAAwB,EAAE,EAAE;IAC1C,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAChC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC1B,CAAC,CAAC;AACF;;;GAGG;AACH,MAAa,OAAO;IAShB,YAAY,OAAgC;QACxC,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;YAC7B,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;SACpC;QACD,IAAI,CAAC,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACnD,IAAI,CAAC,kBAAkB,GAAG,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAC/D,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7D,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,GAAW;QAC3B,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAC5C,MAAM,OAAO,GAA4B,EAAE,CAAC;QAE5C,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAe,EAAE,EAAE;YACjC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;gBACtB,OAAO;aACV;YACD,MAAM,CAAC,GAAa,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAEvC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;gBAChB,MAAM,IAAI,KAAK,CAAC,qBAAqB,GAAG,OAAO,CAAC,CAAC;aACpD;YACD,MAAM,QAAQ,GAAI,KAAgC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACzD,IAAI,CAAC,QAAQ,EAAE;gBACX,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;aAClE;YACD,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACnB,OAAO,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9E,CAAC,CAAC,CAAC;QACH,OAAO,OAAyB,CAAC;IACrC,CAAC;IAEM,gBAAgB,CAAC,GAAW;QAC/B,2DAA2D;QAC3D,uFAAuF;QACvF,sEAAsE;QACtE,6DAA6D;QAC7D,2DAA2D;QAC3D,yFAAyF;QAEzF,MAAM,GAAG,GAAa,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,OAAO,EAAE;YACd,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;SACrD;QACD,IAAI,IAAI,CAAC,KAAK,EAAE;YACZ,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;SACpD;QACD,IAAI,IAAI,CAAC,QAAQ,EAAE;YACf,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;SACtD;QACD,IAAI,IAAI,CAAC,YAAY,EAAE;YACnB,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;SAC1D;QACD,IAAI,IAAI,CAAC,kBAAkB,EAAE;YACzB,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;SACjE;QACD,IAAI,IAAI,CAAC,UAAU,EAAE;YACjB,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;SACzD;QACD,IAAI,IAAI,CAAC,eAAe,EAAE;YACtB,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;SAC9D;QACD,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IACM,gBAAgB;QACnB,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;IACM,QAAQ;QACX,yDAAyD;QACzD,gFAAgF;QAChF,MAAM,CAAC,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAClC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;CACJ;AAtFD,0BAsFC"}

package/dist/source/verify_certificate_signature.d.ts

@@ -1,10 +1,10 @@
-/// <reference types="node" />
-import { Certificate } from "./common";
-export declare function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean;
-export declare function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean;
-export declare function verifyCertificateRevocationListSignature(certificateRevocationList: Certificate, parentCertificate: Certificate): boolean;
-export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
-export declare function verifyCertificateChain(certificateChain: Certificate[]): Promise<{
-    status: _VerifyStatus;
-    reason: string;
-}>;
+/// <reference types="node" />
+import { Certificate } from "./common";
+export declare function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean;
+export declare function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean;
+export declare function verifyCertificateRevocationListSignature(certificateRevocationList: Certificate, parentCertificate: Certificate): boolean;
+export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
+export declare function verifyCertificateChain(certificateChain: Certificate[]): Promise<{
+    status: _VerifyStatus;
+    reason: string;
+}>;

package/dist/source/verify_certificate_signature.js

@@ -1,102 +1,102 @@
-"use strict";
-// tslint:disable: no-console
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyCertificateChain = exports.verifyCertificateRevocationListSignature = exports.verifyCertificateSignature = exports.verifyCertificateOrClrSignature = void 0;
-// Now that we got a hash of the original certificate,
-// we need to verify if we can obtain the same hash by using the same hashing function
-// (in this case SHA-384). In order to do that, we need to extract just the body of
-// the signed certificate. Which, in our case, is everything but the signature.
-// The start of the body is always the first digit of the second line of the following command:
-const crypto = require("crypto");
-const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
-const crypto_utils_1 = require("./crypto_utils");
-const asn1_1 = require("./asn1");
-function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
-    const block_info = (0, asn1_1.readTag)(certificateOrCrl, 0);
-    const blocks = (0, asn1_1._readStruct)(certificateOrCrl, block_info);
-    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
-    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
-    const signatureAlgorithm = (0, asn1_1._readAlgorithmIdentifier)(certificateOrCrl, blocks[1]);
-    const signatureValue = (0, asn1_1._readSignatureValueBin)(certificateOrCrl, blocks[2]);
-    const p = (0, crypto_explore_certificate_1.split_der)(parentCertificate)[0];
-    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
-    const certPem = (0, crypto_utils_1.toPem)(p, "CERTIFICATE");
-    const verify = crypto.createVerify(signatureAlgorithm.identifier);
-    verify.update(bufferToBeSigned);
-    verify.end();
-    return verify.verify(certPem, signatureValue);
-}
-exports.verifyCertificateOrClrSignature = verifyCertificateOrClrSignature;
-function verifyCertificateSignature(certificate, parentCertificate) {
-    return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-exports.verifyCertificateSignature = verifyCertificateSignature;
-function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
-    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-exports.verifyCertificateRevocationListSignature = verifyCertificateRevocationListSignature;
-function verifyCertificateChain(certificateChain) {
-    return __awaiter(this, void 0, void 0, function* () {
-        // verify that all the certificate
-        // second certificate must be used for CertificateSign
-        for (let index = 1; index < certificateChain.length; index++) {
-            const cert = certificateChain[index - 1];
-            const certParent = certificateChain[index];
-            // parent child must have keyCertSign
-            const certParentInfo = (0, crypto_explore_certificate_1.exploreCertificate)(certParent);
-            const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
-            // istanbul ignore next
-            if (!keyUsage.keyCertSign) {
-                return {
-                    status: "BadCertificateIssuerUseNotAllowed",
-                    reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
-                };
-            }
-            const parentSignChild = verifyCertificateSignature(cert, certParent);
-            if (!parentSignChild) {
-                return {
-                    status: "BadCertificateInvalid",
-                    reason: "One of the certificate in the chain is not signing the previous certificate",
-                };
-            }
-            const certInfo = (0, crypto_explore_certificate_1.exploreCertificate)(cert);
-            // istanbul ignore next
-            if (!certInfo.tbsCertificate.extensions) {
-                return {
-                    status: "BadCertificateInvalid",
-                    reason: "Cannot find X409 Extension 3 in certificate",
-                };
-            }
-            // istanbul ignore next
-            if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-                return {
-                    status: "BadCertificateInvalid",
-                    reason: "Cannot find X409 Extension 3 in certificate (parent)",
-                };
-            }
-            // istanbul ignore next
-            if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
-                certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
-                return {
-                    status: "BadCertificateInvalid",
-                    reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
-                };
-            }
-        }
-        return {
-            status: "Good",
-            reason: `certificate chain is valid(length = ${certificateChain.length})`,
-        };
-    });
-}
-exports.verifyCertificateChain = verifyCertificateChain;
+"use strict";
+// tslint:disable: no-console
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyCertificateChain = exports.verifyCertificateRevocationListSignature = exports.verifyCertificateSignature = exports.verifyCertificateOrClrSignature = void 0;
+// Now that we got a hash of the original certificate,
+// we need to verify if we can obtain the same hash by using the same hashing function
+// (in this case SHA-384). In order to do that, we need to extract just the body of
+// the signed certificate. Which, in our case, is everything but the signature.
+// The start of the body is always the first digit of the second line of the following command:
+const crypto = require("crypto");
+const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
+const crypto_utils_1 = require("./crypto_utils");
+const asn1_1 = require("./asn1");
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
+    const block_info = (0, asn1_1.readTag)(certificateOrCrl, 0);
+    const blocks = (0, asn1_1._readStruct)(certificateOrCrl, block_info);
+    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
+    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
+    const signatureAlgorithm = (0, asn1_1._readAlgorithmIdentifier)(certificateOrCrl, blocks[1]);
+    const signatureValue = (0, asn1_1._readSignatureValueBin)(certificateOrCrl, blocks[2]);
+    const p = (0, crypto_explore_certificate_1.split_der)(parentCertificate)[0];
+    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
+    const certPem = (0, crypto_utils_1.toPem)(p, "CERTIFICATE");
+    const verify = crypto.createVerify(signatureAlgorithm.identifier);
+    verify.update(bufferToBeSigned);
+    verify.end();
+    return verify.verify(certPem, signatureValue);
+}
+exports.verifyCertificateOrClrSignature = verifyCertificateOrClrSignature;
+function verifyCertificateSignature(certificate, parentCertificate) {
+    return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+exports.verifyCertificateSignature = verifyCertificateSignature;
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
+    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+exports.verifyCertificateRevocationListSignature = verifyCertificateRevocationListSignature;
+function verifyCertificateChain(certificateChain) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // verify that all the certificate
+        // second certificate must be used for CertificateSign
+        for (let index = 1; index < certificateChain.length; index++) {
+            const cert = certificateChain[index - 1];
+            const certParent = certificateChain[index];
+            // parent child must have keyCertSign
+            const certParentInfo = (0, crypto_explore_certificate_1.exploreCertificate)(certParent);
+            const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
+            // istanbul ignore next
+            if (!keyUsage.keyCertSign) {
+                return {
+                    status: "BadCertificateIssuerUseNotAllowed",
+                    reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
+                };
+            }
+            const parentSignChild = verifyCertificateSignature(cert, certParent);
+            if (!parentSignChild) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "One of the certificate in the chain is not signing the previous certificate",
+                };
+            }
+            const certInfo = (0, crypto_explore_certificate_1.exploreCertificate)(cert);
+            // istanbul ignore next
+            if (!certInfo.tbsCertificate.extensions) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "Cannot find X409 Extension 3 in certificate",
+                };
+            }
+            // istanbul ignore next
+            if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "Cannot find X409 Extension 3 in certificate (parent)",
+                };
+            }
+            // istanbul ignore next
+            if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
+                certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+                return {
+                    status: "BadCertificateInvalid",
+                    reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
+                };
+            }
+        }
+        return {
+            status: "Good",
+            reason: `certificate chain is valid(length = ${certificateChain.length})`,
+        };
+    });
+}
+exports.verifyCertificateChain = verifyCertificateChain;
 //# sourceMappingURL=verify_certificate_signature.js.map

package/dist/source/x509/_build_public_key.d.ts

@@ -0,0 +1 @@
+export declare function buildPublicKey(privateKey: CryptoKey): Promise<CryptoKey>;

package/dist/source/x509/_build_public_key.js

@@ -0,0 +1,36 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPublicKey = void 0;
+const x509_1 = require("@peculiar/x509");
+// https://stackoverflow.com/questions/56807959/generate-public-key-from-private-key-using-webcrypto-api
+function buildPublicKey(privateKey) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const crypto = x509_1.cryptoProvider.get();
+        // export private key to JWK
+        const jwk = yield crypto.subtle.exportKey("jwk", privateKey);
+        // remove private data from JWK
+        delete jwk.d;
+        delete jwk.dp;
+        delete jwk.dq;
+        delete jwk.q;
+        delete jwk.qi;
+        jwk.key_ops = ["encrypt", "wrapKey"];
+        // import public key
+        const publicKey = yield crypto.subtle.importKey("jwk", jwk, { name: "RSA-OAEP", hash: "SHA-512" }, true, [
+            "encrypt",
+            "wrapKey",
+        ]);
+        return publicKey;
+    });
+}
+exports.buildPublicKey = buildPublicKey;
+//# sourceMappingURL=_build_public_key.js.map

package/dist/source/x509/_build_public_key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_build_public_key.js","sourceRoot":"","sources":["../../../source/x509/_build_public_key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yCAAgD;AAEhD,wGAAwG;AACxG,SAAsB,cAAc,CAAC,UAAqB;;QACtD,MAAM,MAAM,GAAG,qBAAc,CAAC,GAAG,EAAE,CAAC;QAEpC,4BAA4B;QAC5B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAE7D,+BAA+B;QAC/B,OAAO,GAAG,CAAC,CAAC,CAAC;QACb,OAAO,GAAG,CAAC,EAAE,CAAC;QACd,OAAO,GAAG,CAAC,EAAE,CAAC;QACd,OAAO,GAAG,CAAC,CAAC,CAAC;QACb,OAAO,GAAG,CAAC,EAAE,CAAC;QACd,GAAG,CAAC,OAAO,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAErC,oBAAoB;QACpB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE;YACrG,SAAS;YACT,SAAS;SACZ,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACrB,CAAC;CAAA;AArBD,wCAqBC"}

package/dist/source/x509/_crypto.d.ts

@@ -0,0 +1,3 @@
+import { Crypto } from "@peculiar/webcrypto";
+export declare const crypto: Crypto;
+export * as x509 from "@peculiar/x509";

package/dist/source/x509/_crypto.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.x509 = exports.crypto = void 0;
+const x509 = require("@peculiar/x509");
+const webcrypto_1 = require("@peculiar/webcrypto");
+exports.crypto = new webcrypto_1.Crypto();
+x509.cryptoProvider.set(exports.crypto);
+exports.x509 = require("@peculiar/x509");
+//# sourceMappingURL=_crypto.js.map

package/dist/source/x509/_crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_crypto.js","sourceRoot":"","sources":["../../../source/x509/_crypto.ts"],"names":[],"mappings":";;;AAAA,uCAAuC;AACvC,mDAA6C;AAChC,QAAA,MAAM,GAAG,IAAI,kBAAM,EAAE,CAAC;AACnC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,cAAM,CAAC,CAAC;AAChC,yCAAuC"}

package/dist/source/x509/_fix.d.ts

@@ -0,0 +1,2 @@
+import { Pkcs10CertificateRequest, Pkcs10CertificateRequestCreateParams } from "@peculiar/x509";
+export declare function x509_Pkcs10CertificateRequestGenerator_create_fixed(params: Pkcs10CertificateRequestCreateParams): Promise<Pkcs10CertificateRequest>;

package/dist/source/x509/_fix.js

@@ -0,0 +1,74 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.x509_Pkcs10CertificateRequestGenerator_create_fixed = void 0;
+const asn1Schema = require("@peculiar/asn1-schema");
+const asn1Csr = require("@peculiar/asn1-csr");
+const asn1X509 = require("@peculiar/asn1-x509");
+const asnPkcs9 = require("@peculiar/asn1-pkcs9");
+const tsyringe = require("tsyringe");
+const x509_1 = require("@peculiar/x509");
+function x509_Pkcs10CertificateRequestGenerator_create_fixed(params) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const crypto = x509_1.cryptoProvider.get();
+        if (!params.keys.privateKey) {
+            throw new Error("Bad field 'keys' in 'params' argument. 'privateKey' is empty");
+        }
+        if (!params.keys.publicKey) {
+            throw new Error("Bad field 'keys' in 'params' argument. 'publicKey' is empty");
+        }
+        const spki = yield crypto.subtle.exportKey("spki", params.keys.publicKey);
+        const asnReq = new asn1Csr.CertificationRequest({
+            certificationRequestInfo: new asn1Csr.CertificationRequestInfo({
+                subjectPKInfo: asn1Schema.AsnConvert.parse(spki, asn1X509.SubjectPublicKeyInfo),
+            }),
+        });
+        if (params.name) {
+            const name = params.name instanceof x509_1.Name ? params.name : new x509_1.Name(params.name);
+            asnReq.certificationRequestInfo.subject = asn1Schema.AsnConvert.parse(name.toArrayBuffer(), asn1X509.Name);
+        }
+        if (params.attributes) {
+            for (const o of params.attributes) {
+                asnReq.certificationRequestInfo.attributes.push(asn1Schema.AsnConvert.parse(o.rawData, asn1X509.Attribute));
+            }
+        }
+        if (params.extensions && params.extensions.length) {
+            const attr = new asn1X509.Attribute({ type: asnPkcs9.id_pkcs9_at_extensionRequest });
+            const extensions = new asn1X509.Extensions();
+            for (const o of params.extensions) {
+                extensions.push(asn1Schema.AsnConvert.parse(o.rawData, asn1X509.Extension));
+            }
+            attr.values.push(asn1Schema.AsnConvert.serialize(extensions));
+            asnReq.certificationRequestInfo.attributes.push(attr);
+        }
+        // const signingAlgorithm = { ...params.signingAlgorithm, ...params.keys.privateKey.algorithm };
+        const signingAlgorithm = Object.assign({}, params.keys.privateKey.algorithm);
+        const algProv = tsyringe.container.resolve(x509_1.diAlgorithmProvider);
+        asnReq.signatureAlgorithm = algProv.toAsnAlgorithm(signingAlgorithm);
+        const tbs = asn1Schema.AsnConvert.serialize(asnReq.certificationRequestInfo);
+        const signature = yield crypto.subtle.sign(signingAlgorithm, params.keys.privateKey, tbs);
+        const signatureFormatters = tsyringe.container.resolveAll(x509_1.diAsnSignatureFormatter).reverse();
+        let asnSignature = null;
+        for (const signatureFormatter of signatureFormatters) {
+            asnSignature = signatureFormatter.toAsnSignature(signingAlgorithm, signature);
+            if (asnSignature) {
+                break;
+            }
+        }
+        if (!asnSignature) {
+            throw Error("Cannot convert WebCrypto signature value to ASN.1 format");
+        }
+        asnReq.signature = asnSignature;
+        return new x509_1.Pkcs10CertificateRequest(asn1Schema.AsnConvert.serialize(asnReq));
+    });
+}
+exports.x509_Pkcs10CertificateRequestGenerator_create_fixed = x509_Pkcs10CertificateRequestGenerator_create_fixed;
+//# sourceMappingURL=_fix.js.map

package/dist/source/x509/_fix.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_fix.js","sourceRoot":"","sources":["../../../source/x509/_fix.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,oDAAoD;AACpD,8CAA8C;AAC9C,gDAAgD;AAChD,iDAAiD;AACjD,qCAAqC;AAErC,yCAOwB;AAExB,SAAsB,mDAAmD,CACrE,MAA4C;;QAG5C,MAAM,MAAM,GAAG,qBAAc,CAAC,GAAG,EAAE,CAAC;QAEpC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;YACzB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;SACnF;QACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;SAClF;QACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,oBAAoB,CAAC;YAC5C,wBAAwB,EAAE,IAAI,OAAO,CAAC,wBAAwB,CAAC;gBAC3D,aAAa,EAAE,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,oBAAoB,CAAC;aAClF,CAAC;SACL,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,EAAE;YACb,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,YAAY,WAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,WAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,CAAC,wBAAwB,CAAC,OAAO,GAAG,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;SAC9G;QACD,IAAI,MAAM,CAAC,UAAU,EAAE;YACnB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE;gBAC/B,MAAM,CAAC,wBAAwB,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;aAC/G;SACJ;QACD,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE;YAC/C,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,4BAA4B,EAAE,CAAC,CAAC;YACrF,MAAM,UAAU,GAAG,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC7C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE;gBAC/B,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;aAC/E;YACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;YAC9D,MAAM,CAAC,wBAAwB,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACzD;QAED,gGAAgG;QAE7F,MAAM,gBAAgB,qBAAQ,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAE,CAAC;QAEpE,MAAM,OAAO,GAAQ,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,0BAAmB,CAAC,CAAC;QACrE,MAAM,CAAC,kBAAkB,GAAG,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;QAGrE,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAE7E,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAE1F,MAAM,mBAAmB,GAAU,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,8BAAuB,CAAC,CAAC,OAAO,EAAE,CAAC;QAEpG,IAAI,YAAY,GAAG,IAAI,CAAC;QACxB,KAAK,MAAM,kBAAkB,IAAI,mBAAmB,EAAE;YAClD,YAAY,GAAG,kBAAkB,CAAC,cAAc,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;YAC9E,IAAI,YAAY,EAAE;gBACd,MAAM;aACT;SACJ;QACD,IAAI,CAAC,YAAY,EAAE;YACf,MAAM,KAAK,CAAC,0DAA0D,CAAC,CAAC;SAC3E;QACD,MAAM,CAAC,SAAS,GAAG,YAAY,CAAC;QAChC,OAAO,IAAI,+BAAwB,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACjF,CAAC;CAAA;AA/DD,kHA+DC"}

package/dist/source/x509/_get_attributes.d.ts

@@ -0,0 +1,8 @@
+import { CertificatePurpose } from "../common";
+import { x509 } from "./_crypto";
+export declare function getAttributes(purpose: CertificatePurpose): {
+    nsComment: string;
+    basicConstraints: x509.BasicConstraintsExtension;
+    keyUsageExtension: x509.ExtendedKeyUsage[];
+    usages: x509.KeyUsageFlags;
+};