node-opcua-crypto 2.1.2 → 3.0.0-beta.0

package/source/explore_certificate.ts

@@ -1,66 +1,66 @@
-/**
- * @module node_opcua_crypto
- */
-
-import { Certificate, CertificatePEM } from "./common";
-import { exploreCertificate, SubjectPublicKey } from "./crypto_explore_certificate";
-import { DirectoryName } from "./asn1";
-import { convertPEMtoDER } from "./crypto_utils";
-import * as assert from "assert";
-
-export type PublicKeyLength = 64 | 96 | 128 | 256 | 384 | 512;
-
-/**
- * A structure exposing useful information about a certificate
- */
-export interface CertificateInfo {
-    /** the public key length in bits */
-    publicKeyLength: PublicKeyLength;
-    /** the date at which the certificate starts to be valid */
-    notBefore: Date;
-    /** the date after which the certificate is not valid any more */
-    notAfter: Date;
-    /** info about certificate owner */
-    subject: DirectoryName;
-    /** public key */
-    publicKey: SubjectPublicKey;
-}
-
-export function coerceCertificate(certificate: Certificate | CertificatePEM): Certificate {
-    if (typeof certificate === "string") {
-        certificate = convertPEMtoDER(certificate);
-    }
-    assert(certificate instanceof Buffer);
-    return certificate;
-}
-
-/**
- * @method exploreCertificateInfo
- * returns useful information about the certificate such as public key length, start date and end of validity date,
- * and CN
- * @param certificate the certificate to explore
- */
-export function exploreCertificateInfo(certificate: Certificate | CertificatePEM): CertificateInfo {
-    certificate = coerceCertificate(certificate);
-
-    const certInfo = exploreCertificate(certificate);
-    const data: CertificateInfo = {
-        publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
-        notBefore: certInfo.tbsCertificate.validity.notBefore,
-        notAfter: certInfo.tbsCertificate.validity.notAfter,
-        publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
-        subject: certInfo.tbsCertificate.subject,
-    };
-    // istanbul ignore next
-    if (
-        !(
-            data.publicKeyLength === 512 ||
-            data.publicKeyLength === 384 ||
-            data.publicKeyLength === 256 ||
-            data.publicKeyLength === 128
-        )
-    ) {
-        throw new Error("Invalid public key length (expecting 128,256,384 or 512)" + data.publicKeyLength);
-    }
-    return data;
-}
+/**
+ * @module node_opcua_crypto
+ */
+
+import { Certificate, CertificatePEM } from "./common";
+import { exploreCertificate, SubjectPublicKey } from "./crypto_explore_certificate";
+import { DirectoryName } from "./asn1";
+import { convertPEMtoDER } from "./crypto_utils";
+import * as assert from "assert";
+
+export type PublicKeyLength = 64 | 96 | 128 | 256 | 384 | 512;
+
+/**
+ * A structure exposing useful information about a certificate
+ */
+export interface CertificateInfo {
+    /** the public key length in bits */
+    publicKeyLength: PublicKeyLength;
+    /** the date at which the certificate starts to be valid */
+    notBefore: Date;
+    /** the date after which the certificate is not valid any more */
+    notAfter: Date;
+    /** info about certificate owner */
+    subject: DirectoryName;
+    /** public key */
+    publicKey: SubjectPublicKey;
+}
+
+export function coerceCertificate(certificate: Certificate | CertificatePEM): Certificate {
+    if (typeof certificate === "string") {
+        certificate = convertPEMtoDER(certificate);
+    }
+    assert(certificate instanceof Buffer);
+    return certificate;
+}
+
+/**
+ * @method exploreCertificateInfo
+ * returns useful information about the certificate such as public key length, start date and end of validity date,
+ * and CN
+ * @param certificate the certificate to explore
+ */
+export function exploreCertificateInfo(certificate: Certificate | CertificatePEM): CertificateInfo {
+    certificate = coerceCertificate(certificate);
+
+    const certInfo = exploreCertificate(certificate);
+    const data: CertificateInfo = {
+        publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
+        notBefore: certInfo.tbsCertificate.validity.notBefore,
+        notAfter: certInfo.tbsCertificate.validity.notAfter,
+        publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
+        subject: certInfo.tbsCertificate.subject,
+    };
+    // istanbul ignore next
+    if (
+        !(
+            data.publicKeyLength === 512 ||
+            data.publicKeyLength === 384 ||
+            data.publicKeyLength === 256 ||
+            data.publicKeyLength === 128
+        )
+    ) {
+        throw new Error("Invalid public key length (expecting 128,256,384 or 512)" + data.publicKeyLength);
+    }
+    return data;
+}

package/source/explore_certificate_revocation_list.ts

@@ -1,122 +1,122 @@
-import {
-    _readStruct,
-    readTag,
-    _readBitString,
-    AlgorithmIdentifier,
-    _readAlgorithmIdentifier,
-    _readSignatureValue,
-    _readSignatureValueBin,
-    BlockInfo,
-    _readObjectIdentifier,
-    DirectoryName,
-    _readValue,
-    _readTime,
-    _readLongIntegerValue,
-    formatBuffer2DigitHexWithColum,
-    _getBlock,
-    _readDirectoryName,
-    _findBlockAtIndex,
-    _readIntegerValue,
-    TagType,
-} from "./asn1";
-import { CertificateRevocationList } from "./common";
-import { makeSHA1Thumbprint, convertPEMtoDER } from "./crypto_utils";
-
-export type Version = string;
-export type Name = string;
-export type CertificateSerialNumber = string;
-export type Extensions = Record<string, unknown>;
-export interface RevokedCertificate {
-    userCertificate: CertificateSerialNumber;
-    revocationDate: Date;
-    crlEntryExtensions?: Extensions;
-}
-export interface TBSCertList {
-    version?: Version; //OPTIONAL; // must be 2
-    signature: AlgorithmIdentifier;
-    issuer: Name;
-    issuerFingerprint: string; // 00:AA:BB:etc ...
-    thisUpdate: Date;
-    nextUpdate?: Date; //             Time OPTIONAL,
-    revokedCertificates: RevokedCertificate[];
-    //    crlExtensions[0]  EXPLICIT Extensions OPTIONAL
-}
-export interface CertificateRevocationListInfo {
-    tbsCertList: TBSCertList;
-    signatureAlgorithm: AlgorithmIdentifier;
-    signatureValue: Buffer;
-}
-
-export function readNameForCrl(buffer: Buffer, block: BlockInfo): DirectoryName {
-    return _readDirectoryName(buffer, block);
-}
-
-function _readTbsCertList(buffer: Buffer, blockInfo: BlockInfo): TBSCertList {
-    const blocks = _readStruct(buffer, blockInfo);
-
-    const hasOptionalVersion = blocks[0].tag === TagType.INTEGER;
-
-    if (hasOptionalVersion) {
-        const version = _readIntegerValue(buffer, blocks[0]);
-        const signature = _readAlgorithmIdentifier(buffer, blocks[1]);
-        const issuer = readNameForCrl(buffer, blocks[2]);
-        const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[2])));
-
-        const thisUpdate = _readTime(buffer, blocks[3]);
-        const nextUpdate = _readTime(buffer, blocks[4]);
-
-        const revokedCertificates: RevokedCertificate[] = [];
-
-        if (blocks[5] && blocks[5].tag < 0x80) {
-            const list = _readStruct(buffer, blocks[5]);
-            for (const r of list) {
-                // sometime blocks[5] doesn't exits .. in this case
-                const rr = _readStruct(buffer, r);
-                const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
-                const revocationDate = _readTime(buffer, rr[1]);
-                revokedCertificates.push({
-                    revocationDate,
-                    userCertificate,
-                });
-            }
-        }
-
-        const ext0 = _findBlockAtIndex(blocks, 0);
-        return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates } as TBSCertList;
-    } else {
-
-        const signature = _readAlgorithmIdentifier(buffer, blocks[0]);
-        const issuer = readNameForCrl(buffer, blocks[1]);
-        const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[1])));
-
-        const thisUpdate = _readTime(buffer, blocks[2]);
-        const nextUpdate = _readTime(buffer, blocks[3]);
-
-        const revokedCertificates: RevokedCertificate[] = [];
-
-        if (blocks[4] && blocks[4].tag < 0x80) {
-            const list = _readStruct(buffer, blocks[4]);
-            for (const r of list) {
-                // sometime blocks[5] doesn't exits .. in this case
-                const rr = _readStruct(buffer, r);
-                const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
-                const revocationDate = _readTime(buffer, rr[1]);
-                revokedCertificates.push({
-                    revocationDate,
-                    userCertificate,
-                });
-            }
-        }
-        return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates } as TBSCertList;
-    }
-}
-// see https://tools.ietf.org/html/rfc5280
-
-export function exploreCertificateRevocationList(crl: CertificateRevocationList): CertificateRevocationListInfo {
-    const blockInfo = readTag(crl, 0);
-    const blocks = _readStruct(crl, blockInfo);
-    const tbsCertList = _readTbsCertList(crl, blocks[0]);
-    const signatureAlgorithm = _readAlgorithmIdentifier(crl, blocks[1]);
-    const signatureValue = _readSignatureValueBin(crl, blocks[2]);
-    return { tbsCertList, signatureAlgorithm, signatureValue };
-}
+import {
+    _readStruct,
+    readTag,
+    _readBitString,
+    AlgorithmIdentifier,
+    _readAlgorithmIdentifier,
+    _readSignatureValue,
+    _readSignatureValueBin,
+    BlockInfo,
+    _readObjectIdentifier,
+    DirectoryName,
+    _readValue,
+    _readTime,
+    _readLongIntegerValue,
+    formatBuffer2DigitHexWithColum,
+    _getBlock,
+    _readDirectoryName,
+    _findBlockAtIndex,
+    _readIntegerValue,
+    TagType,
+} from "./asn1";
+import { CertificateRevocationList } from "./common";
+import { makeSHA1Thumbprint, convertPEMtoDER } from "./crypto_utils";
+
+export type Version = string;
+export type Name = string;
+export type CertificateSerialNumber = string;
+export type Extensions = Record<string, unknown>;
+export interface RevokedCertificate {
+    userCertificate: CertificateSerialNumber;
+    revocationDate: Date;
+    crlEntryExtensions?: Extensions;
+}
+export interface TBSCertList {
+    version?: Version; //OPTIONAL; // must be 2
+    signature: AlgorithmIdentifier;
+    issuer: Name;
+    issuerFingerprint: string; // 00:AA:BB:etc ...
+    thisUpdate: Date;
+    nextUpdate?: Date; //             Time OPTIONAL,
+    revokedCertificates: RevokedCertificate[];
+    //    crlExtensions[0]  EXPLICIT Extensions OPTIONAL
+}
+export interface CertificateRevocationListInfo {
+    tbsCertList: TBSCertList;
+    signatureAlgorithm: AlgorithmIdentifier;
+    signatureValue: Buffer;
+}
+
+export function readNameForCrl(buffer: Buffer, block: BlockInfo): DirectoryName {
+    return _readDirectoryName(buffer, block);
+}
+
+function _readTbsCertList(buffer: Buffer, blockInfo: BlockInfo): TBSCertList {
+    const blocks = _readStruct(buffer, blockInfo);
+
+    const hasOptionalVersion = blocks[0].tag === TagType.INTEGER;
+
+    if (hasOptionalVersion) {
+        const version = _readIntegerValue(buffer, blocks[0]);
+        const signature = _readAlgorithmIdentifier(buffer, blocks[1]);
+        const issuer = readNameForCrl(buffer, blocks[2]);
+        const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[2])));
+
+        const thisUpdate = _readTime(buffer, blocks[3]);
+        const nextUpdate = _readTime(buffer, blocks[4]);
+
+        const revokedCertificates: RevokedCertificate[] = [];
+
+        if (blocks[5] && blocks[5].tag < 0x80) {
+            const list = _readStruct(buffer, blocks[5]);
+            for (const r of list) {
+                // sometime blocks[5] doesn't exits .. in this case
+                const rr = _readStruct(buffer, r);
+                const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
+                const revocationDate = _readTime(buffer, rr[1]);
+                revokedCertificates.push({
+                    revocationDate,
+                    userCertificate,
+                });
+            }
+        }
+
+        const ext0 = _findBlockAtIndex(blocks, 0);
+        return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates } as TBSCertList;
+    } else {
+
+        const signature = _readAlgorithmIdentifier(buffer, blocks[0]);
+        const issuer = readNameForCrl(buffer, blocks[1]);
+        const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[1])));
+
+        const thisUpdate = _readTime(buffer, blocks[2]);
+        const nextUpdate = _readTime(buffer, blocks[3]);
+
+        const revokedCertificates: RevokedCertificate[] = [];
+
+        if (blocks[4] && blocks[4].tag < 0x80) {
+            const list = _readStruct(buffer, blocks[4]);
+            for (const r of list) {
+                // sometime blocks[5] doesn't exits .. in this case
+                const rr = _readStruct(buffer, r);
+                const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
+                const revocationDate = _readTime(buffer, rr[1]);
+                revokedCertificates.push({
+                    revocationDate,
+                    userCertificate,
+                });
+            }
+        }
+        return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates } as TBSCertList;
+    }
+}
+// see https://tools.ietf.org/html/rfc5280
+
+export function exploreCertificateRevocationList(crl: CertificateRevocationList): CertificateRevocationListInfo {
+    const blockInfo = readTag(crl, 0);
+    const blocks = _readStruct(crl, blockInfo);
+    const tbsCertList = _readTbsCertList(crl, blocks[0]);
+    const signatureAlgorithm = _readAlgorithmIdentifier(crl, blocks[1]);
+    const signatureValue = _readSignatureValueBin(crl, blocks[2]);
+    return { tbsCertList, signatureAlgorithm, signatureValue };
+}

package/source/explore_certificate_signing_request.ts

@@ -1,58 +1,58 @@
-import * as assert from "assert";
-import { BlockInfo, readTag, _findBlockAtIndex, _getBlock, _readObjectIdentifier, _readStruct, _readVersionValue } from "./asn1";
-
-import { BasicConstraints, X509KeyUsage, _readExtension } from "./crypto_explore_certificate";
-
-export interface ExtensionRequest {
-    basicConstraints: BasicConstraints;
-    keyUsage: X509KeyUsage;
-    subjectAltName: any;
-}
-export interface CertificateSigningRequestInfo {
-    extensionRequest: ExtensionRequest;
-}
-
-function _readExtensionRequest(buffer: Buffer): ExtensionRequest {
-    const block = readTag(buffer, 0);
-
-    const inner_blocks = _readStruct(buffer, block);
-    const extensions = inner_blocks.map((block1) => _readExtension(buffer, block1));
-
-    const result: any = {};
-    for (const e of extensions) {
-        result[e.identifier.name] = e.value;
-    }
-    const { basicConstraints, keyUsage, subjectAltName } = result;
-    return { basicConstraints, keyUsage, subjectAltName };
-}
-
-export function readCertificationRequestInfo(buffer: Buffer, block: BlockInfo): CertificateSigningRequestInfo {
-    const blocks = _readStruct(buffer, block);
-    if (blocks.length === 4) {
-        const extensionRequestBlock = _findBlockAtIndex(blocks, 0);
-        if (!extensionRequestBlock) {
-            throw new Error("cannot find extensionRequest block");
-        }
-        const blocks1 = _readStruct(buffer, extensionRequestBlock);
-        const blocks2 = _readStruct(buffer, blocks1[0]);
-        const identifier = _readObjectIdentifier(buffer, blocks2[0]);
-        if (identifier.name !== "extensionRequest") {
-            throw new Error(" Cannot find extension Request in ASN1 block");
-        }
-        const buf = _getBlock(buffer, blocks2[1]);
-
-        const extensionRequest = _readExtensionRequest(buf);
-
-        return { extensionRequest };
-    }
-    throw new Error("Invalid CSR or ");
-}
-
-// see https://tools.ietf.org/html/rfc2986 : Certification Request Syntax Specification Version 1.7
-
-export function exploreCertificateSigningRequest(crl: Buffer): CertificateSigningRequestInfo {
-    const blockInfo = readTag(crl, 0);
-    const blocks = _readStruct(crl, blockInfo);
-    const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
-    return csrInfo;
-}
+import * as assert from "assert";
+import { BlockInfo, readTag, _findBlockAtIndex, _getBlock, _readObjectIdentifier, _readStruct, _readVersionValue } from "./asn1";
+
+import { BasicConstraints, X509KeyUsage, _readExtension } from "./crypto_explore_certificate";
+
+export interface ExtensionRequest {
+    basicConstraints: BasicConstraints;
+    keyUsage: X509KeyUsage;
+    subjectAltName: any;
+}
+export interface CertificateSigningRequestInfo {
+    extensionRequest: ExtensionRequest;
+}
+
+function _readExtensionRequest(buffer: Buffer): ExtensionRequest {
+    const block = readTag(buffer, 0);
+
+    const inner_blocks = _readStruct(buffer, block);
+    const extensions = inner_blocks.map((block1) => _readExtension(buffer, block1));
+
+    const result: any = {};
+    for (const e of extensions) {
+        result[e.identifier.name] = e.value;
+    }
+    const { basicConstraints, keyUsage, subjectAltName } = result;
+    return { basicConstraints, keyUsage, subjectAltName };
+}
+
+export function readCertificationRequestInfo(buffer: Buffer, block: BlockInfo): CertificateSigningRequestInfo {
+    const blocks = _readStruct(buffer, block);
+    if (blocks.length === 4) {
+        const extensionRequestBlock = _findBlockAtIndex(blocks, 0);
+        if (!extensionRequestBlock) {
+            throw new Error("cannot find extensionRequest block");
+        }
+        const blocks1 = _readStruct(buffer, extensionRequestBlock);
+        const blocks2 = _readStruct(buffer, blocks1[0]);
+        const identifier = _readObjectIdentifier(buffer, blocks2[0]);
+        if (identifier.name !== "extensionRequest") {
+            throw new Error(" Cannot find extension Request in ASN1 block");
+        }
+        const buf = _getBlock(buffer, blocks2[1]);
+
+        const extensionRequest = _readExtensionRequest(buf);
+
+        return { extensionRequest };
+    }
+    throw new Error("Invalid CSR or ");
+}
+
+// see https://tools.ietf.org/html/rfc2986 : Certification Request Syntax Specification Version 1.7
+
+export function exploreCertificateSigningRequest(crl: Buffer): CertificateSigningRequestInfo {
+    const blockInfo = readTag(crl, 0);
+    const blocks = _readStruct(crl, blockInfo);
+    const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
+    return csrInfo;
+}

package/source/explore_private_key.ts

@@ -35,8 +35,7 @@ const doDebug = !!process.env.DEBUG;
 }
  */
 export function explorePrivateKey(privateKey1: PrivateKey): PrivateKeyInternals {
-    const privateKey = privateKey1.export({ format: "der", type: "pkcs1" }) as Buffer;
-    assert(privateKey instanceof Buffer);
+    const privateKey = privateKey1.export({ format: "der", type: "pkcs1" });
     const block_info = readTag(privateKey, 0);
     const blocks = _readStruct(privateKey, block_info);
 

package/source/index.ts

@@ -1,13 +1,17 @@
-/**
- * @module node_opcua_crypto
- */
-export * from "./common";
-export * from "./derived_keys";
-export * from "./explore_certificate";
-export * from "./crypto_utils";
-export * from "./crypto_explore_certificate";
-export * from "./verify_certificate_signature";
-export * from "./explore_certificate_revocation_list";
-export * from "./explore_certificate_signing_request";
-export * from "./explore_private_key";
-export * from "./public_private_match";
+/**
+ * @module node_opcua_crypto
+ */
+export * from "./common";
+export * from "./derived_keys";
+export * from "./explore_certificate";
+export * from "./crypto_utils";
+export * from "./crypto_explore_certificate";
+export * from "./verify_certificate_signature";
+export * from "./explore_certificate_revocation_list";
+export * from "./explore_certificate_signing_request";
+export * from "./explore_private_key";
+export * from "./public_private_match";
+export * from "./x509/create_key_pair";
+export * from "./x509/create_certificate_signing_request";
+export * from "./x509/create_self_signed_certificate";
+export * from "./subject";