node-opcua-crypto 2.1.2 → 3.0.0-beta.0

package/source/subject.ts

@@ -0,0 +1,144 @@
+// ---------------------------------------------------------------------------------------------------------------------
+// node-opcua-pki
+// ---------------------------------------------------------------------------------------------------------------------
+// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
+// Copyright (c) 2022 - Sterfive.com
+// ---------------------------------------------------------------------------------------------------------------------
+//
+// This  project is licensed under the terms of the MIT license.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+// Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+// ---------------------------------------------------------------------------------------------------------------------
+
+export interface SubjectOptions {
+    commonName?: string;
+    organization?: string;
+    organizationalUnit?: string;
+    locality?: string;
+    state?: string;
+    country?: string;
+    domainComponent?: string;
+}
+
+const _keys = {
+    C: "country",
+    CN: "commonName",
+    DC: "domainComponent",
+    L: "locality",
+    O: "organization",
+    OU: "organizationalUnit",
+    ST: "state",
+};
+
+const enquoteIfNecessary = (str: string) => {
+    str = str.replace(/"/g, "”");
+    return str.match(/\/|=/) ? `"${str}"` : str;
+};
+const unquote = (str: string) => str.replace(/"/gm, "");
+const unquote2 = (str?: string | undefined) => {
+    if (!str) return str;
+    const m = str.match(/^"(.*)"$/);
+    return m ? m[1] : str;
+};
+/**
+ * subjectName	The subject name to use for the Certificate.
+ * If not specified the ApplicationName and/or domainNames are used to create a suitable default value.
+ */
+export class Subject implements SubjectOptions {
+    public readonly commonName?: string;
+    public readonly organization?: string;
+    public readonly organizationalUnit?: string;
+    public readonly locality?: string;
+    public readonly state?: string;
+    public readonly country?: string;
+    public readonly domainComponent?: string;
+
+    constructor(options: SubjectOptions | string) {
+        if (typeof options === "string") {
+            options = Subject.parse(options);
+        }
+        this.commonName = unquote2(options.commonName);
+        this.organization = unquote2(options.organization);
+        this.organizationalUnit = unquote2(options.organizationalUnit);
+        this.locality = unquote2(options.locality);
+        this.state = unquote2(options.state);
+        this.country = unquote2(options.country);
+        this.domainComponent = unquote2(options.domainComponent);
+    }
+
+    public static parse(str: string): SubjectOptions {
+        const elements = str.split(/\/(?=[^/]*?=)/);
+        const options: Record<string, unknown> = {};
+
+        elements.forEach((element: string) => {
+            if (element.length === 0) {
+                return;
+            }
+            const s: string[] = element.split("=");
+
+            if (s.length !== 2) {
+                throw new Error("invalid format for " + element);
+            }
+            const longName = (_keys as Record<string, string>)[s[0]];
+            if (!longName) {
+                throw new Error("Invalid field found in subject name " + s[0]);
+            }
+            const value = s[1];
+            options[longName] = unquote(Buffer.from(value, "ascii").toString("utf8"));
+        });
+        return options as SubjectOptions;
+    }
+
+    public toStringInternal(sep: string): string {
+        // https://reference.opcfoundation.org/v104/GDS/docs/7.6.4/
+        // The format of the subject name is a sequence of name value pairs separated by a ‘/’.
+        // The name shall be one of ‘CN’, ‘O’, ‘OU’, ‘DC’, ‘L’, ‘S’ or ‘C’ and
+        // shall be followed by a ‘=’ and then followed by the value.
+        // The value may be any printable character except for ‘”’.
+        // If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’).
+
+        const tmp: string[] = [];
+        if (this.country) {
+            tmp.push("C=" + enquoteIfNecessary(this.country));
+        }
+        if (this.state) {
+            tmp.push("ST=" + enquoteIfNecessary(this.state));
+        }
+        if (this.locality) {
+            tmp.push("L=" + enquoteIfNecessary(this.locality));
+        }
+        if (this.organization) {
+            tmp.push("O=" + enquoteIfNecessary(this.organization));
+        }
+        if (this.organizationalUnit) {
+            tmp.push("OU=" + enquoteIfNecessary(this.organizationalUnit));
+        }
+        if (this.commonName) {
+            tmp.push("CN=" + enquoteIfNecessary(this.commonName));
+        }
+        if (this.domainComponent) {
+            tmp.push("DC=" + enquoteIfNecessary(this.domainComponent));
+        }
+        return tmp.join(sep);
+    }
+    public toStringForOPCUA(): string {
+        return this.toStringInternal("/");
+    }
+    public toString(): string {
+        // standard for SSL is to have a / in front of each Field
+        // see https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
+        const t = this.toStringForOPCUA();
+        return t ? "/" + t : t;
+    }
+}

package/source/verify_certificate_signature.ts

@@ -1,105 +1,105 @@
-// tslint:disable: no-console
-
-// Now that we got a hash of the original certificate,
-// we need to verify if we can obtain the same hash by using the same hashing function
-// (in this case SHA-384). In order to do that, we need to extract just the body of
-// the signed certificate. Which, in our case, is everything but the signature.
-// The start of the body is always the first digit of the second line of the following command:
-import * as crypto from "crypto";
-
-import { Certificate, PrivateKey } from "./common";
-import { split_der, exploreCertificate } from "./crypto_explore_certificate";
-import { toPem } from "./crypto_utils";
-import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
-
-export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
-    const block_info = readTag(certificateOrCrl, 0);
-    const blocks = _readStruct(certificateOrCrl, block_info);
-    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
-
-    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
-    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
-
-    const p = split_der(parentCertificate)[0];
-    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
-    const certPem = toPem(p, "CERTIFICATE");
-    const verify = crypto.createVerify(signatureAlgorithm.identifier);
-    verify.update(bufferToBeSigned);
-    verify.end();
-    return verify.verify(certPem, signatureValue);
-}
-
-export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
-    return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-export function verifyCertificateRevocationListSignature(
-    certificateRevocationList: Certificate,
-    parentCertificate: Certificate
-): boolean {
-    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-
-export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
-export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
-    // verify that all the certificate
-    // second certificate must be used for CertificateSign
-
-    for (let index = 1; index < certificateChain.length; index++) {
-        const cert = certificateChain[index - 1];
-        const certParent = certificateChain[index];
-
-        // parent child must have keyCertSign
-        const certParentInfo = exploreCertificate(certParent);
-        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
-
-        // istanbul ignore next
-        if (!keyUsage.keyCertSign) {
-            return {
-                status: "BadCertificateIssuerUseNotAllowed",
-                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
-            };
-        }
-
-        const parentSignChild = verifyCertificateSignature(cert, certParent);
-        if (!parentSignChild) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "One of the certificate in the chain is not signing the previous certificate",
-            };
-        }
-        const certInfo = exploreCertificate(cert);
-
-        // istanbul ignore next
-        if (!certInfo.tbsCertificate.extensions) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate",
-            };
-        }
-
-        // istanbul ignore next
-        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-            return {
-                status: "BadCertificateInvalid",
-                reason: "Cannot find X409 Extension 3 in certificate (parent)",
-            };
-        }
-
-        // istanbul ignore next
-        if (
-            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
-            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
-        ) {
-            return {
-                status: "BadCertificateInvalid",
-                reason:
-                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
-            };
-        }
-    }
-    return {
-        status: "Good",
-        reason: `certificate chain is valid(length = ${certificateChain.length})`,
-    };
-}
+// tslint:disable: no-console
+
+// Now that we got a hash of the original certificate,
+// we need to verify if we can obtain the same hash by using the same hashing function
+// (in this case SHA-384). In order to do that, we need to extract just the body of
+// the signed certificate. Which, in our case, is everything but the signature.
+// The start of the body is always the first digit of the second line of the following command:
+import * as crypto from "crypto";
+
+import { Certificate, PrivateKey } from "./common";
+import { split_der, exploreCertificate } from "./crypto_explore_certificate";
+import { toPem } from "./crypto_utils";
+import { _readAlgorithmIdentifier, _readSignatureValueBin, TagType, readTag, _readStruct, _getBlock } from "./asn1";
+
+export function verifyCertificateOrClrSignature(certificateOrCrl: Buffer, parentCertificate: Certificate): boolean {
+    const block_info = readTag(certificateOrCrl, 0);
+    const blocks = _readStruct(certificateOrCrl, block_info);
+    const bufferToBeSigned = certificateOrCrl.slice(block_info.position, blocks[1].position - 2);
+
+    //xx console.log("bufferToBeSigned  = ", bufferToBeSigned.length, bufferToBeSigned.toString("hex").substr(0, 50), bufferToBeSigned.toString("hex").substr(-10));
+    const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+    const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
+
+    const p = split_der(parentCertificate)[0];
+    //xx    const publicKey = extractPublicKeyFromCertificateSync(p);
+    const certPem = toPem(p, "CERTIFICATE");
+    const verify = crypto.createVerify(signatureAlgorithm.identifier);
+    verify.update(bufferToBeSigned);
+    verify.end();
+    return verify.verify(certPem, signatureValue);
+}
+
+export function verifyCertificateSignature(certificate: Certificate, parentCertificate: Certificate): boolean {
+    return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+export function verifyCertificateRevocationListSignature(
+    certificateRevocationList: Certificate,
+    parentCertificate: Certificate
+): boolean {
+    return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+
+export type _VerifyStatus = "BadCertificateIssuerUseNotAllowed" | "BadCertificateInvalid" | "Good";
+export async function verifyCertificateChain(certificateChain: Certificate[]): Promise<{ status: _VerifyStatus; reason: string }> {
+    // verify that all the certificate
+    // second certificate must be used for CertificateSign
+
+    for (let index = 1; index < certificateChain.length; index++) {
+        const cert = certificateChain[index - 1];
+        const certParent = certificateChain[index];
+
+        // parent child must have keyCertSign
+        const certParentInfo = exploreCertificate(certParent);
+        const keyUsage = certParentInfo.tbsCertificate.extensions!.keyUsage!;
+
+        // istanbul ignore next
+        if (!keyUsage.keyCertSign) {
+            return {
+                status: "BadCertificateIssuerUseNotAllowed",
+                reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing",
+            };
+        }
+
+        const parentSignChild = verifyCertificateSignature(cert, certParent);
+        if (!parentSignChild) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "One of the certificate in the chain is not signing the previous certificate",
+            };
+        }
+        const certInfo = exploreCertificate(cert);
+
+        // istanbul ignore next
+        if (!certInfo.tbsCertificate.extensions) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate",
+            };
+        }
+
+        // istanbul ignore next
+        if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+            return {
+                status: "BadCertificateInvalid",
+                reason: "Cannot find X409 Extension 3 in certificate (parent)",
+            };
+        }
+
+        // istanbul ignore next
+        if (
+            certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !==
+            certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier
+        ) {
+            return {
+                status: "BadCertificateInvalid",
+                reason:
+                    "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate",
+            };
+        }
+    }
+    return {
+        status: "Good",
+        reason: `certificate chain is valid(length = ${certificateChain.length})`,
+    };
+}

package/source/x509/_build_public_key.ts

@@ -0,0 +1,25 @@
+import { cryptoProvider } from "@peculiar/x509";
+
+// https://stackoverflow.com/questions/56807959/generate-public-key-from-private-key-using-webcrypto-api
+export async function buildPublicKey(privateKey: CryptoKey): Promise<CryptoKey> {
+    const crypto = cryptoProvider.get();
+
+    // export private key to JWK
+    const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+
+    // remove private data from JWK
+    delete jwk.d;
+    delete jwk.dp;
+    delete jwk.dq;
+    delete jwk.q;
+    delete jwk.qi;
+    jwk.key_ops = ["encrypt", "wrapKey"];
+
+    // import public key
+    const publicKey = await crypto.subtle.importKey("jwk", jwk, { name: "RSA-OAEP", hash: "SHA-512" }, true, [
+        "encrypt",
+        "wrapKey",
+    ]);
+
+    return publicKey;
+}

package/source/x509/_crypto.ts

@@ -0,0 +1,5 @@
+import * as x509 from "@peculiar/x509";
+import { Crypto } from "@peculiar/webcrypto";
+export const crypto = new Crypto();
+x509.cryptoProvider.set(crypto);
+export * as x509 from "@peculiar/x509";

package/source/x509/_get_attributes.ts

@@ -0,0 +1,60 @@
+import { CertificatePurpose } from "../common";
+import {x509} from "./_crypto";
+
+// key usage of OPCUA Server or OPCUA Client
+const keyUsageApplication =
+    x509.KeyUsageFlags.keyEncipherment | x509.KeyUsageFlags.dataEncipherment | x509.KeyUsageFlags.digitalSignature;
+
+// key usage for CA certificate
+const keyUsageCA = x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign;
+
+export function getAttributes(purpose: CertificatePurpose): {
+    nsComment: string;
+    basicConstraints: x509.BasicConstraintsExtension;
+    keyUsageExtension: x509.ExtendedKeyUsage[];
+    usages: x509.KeyUsageFlags;
+} {
+    let basicConstraints: x509.BasicConstraintsExtension;
+    let keyUsageExtension: x509.ExtendedKeyUsage[] = [];
+    let usages: x509.KeyUsageFlags;
+    let nsComment: string;
+    let extension: string;
+    switch (purpose) {
+        case CertificatePurpose.ForCertificateAuthority:
+            extension = "v3_ca";
+            /**
+                [ v3_ca ]
+                subjectKeyIdentifier        = hash
+                authorityKeyIdentifier      = keyid:always,issuer:always
+                *  basicConstraints            = CA:TRUE
+                * keyUsage                    = critical, cRLSign, keyCertSign
+                * nsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"
+                subjectAltName              = $ENV::ALTNAME
+             */
+            basicConstraints = new x509.BasicConstraintsExtension(true, undefined, false);
+            usages = keyUsageCA;
+            keyUsageExtension = [];
+            nsComment = "Self-signed certificate for CA generated by Node-OPCUA Certificate utility V2";
+            break;
+        case CertificatePurpose.ForApplication:
+        case CertificatePurpose.ForUserAuthentication:
+        default:
+            /**
+               [ v3_selfsigned]
+               subjectKeyIdentifier       = hash
+                authorityKeyIdentifier    = keyid,issuer
+                * basicConstraints          = critical, CA:FALSE
+                * keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
+                * extendedKeyUsage          = clientAuth,serverAuth
+                * nsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"
+                subjectAltName            = $ENV::ALTNAME
+             */
+            extension = "v3_selfsigned";
+            basicConstraints = new x509.BasicConstraintsExtension(false, undefined, true);
+            usages = keyUsageApplication;
+            keyUsageExtension = [x509.ExtendedKeyUsage.serverAuth, x509.ExtendedKeyUsage.clientAuth];
+            nsComment = "Self-signed certificate generated by Node-OPCUA Certificate utility V2";
+            break;
+    }
+    return { nsComment, basicConstraints, keyUsageExtension, usages };
+}

package/source/x509/create_certificate_signing_request.ts

@@ -0,0 +1,64 @@
+import { Subject } from "../subject";
+import { CertificatePurpose } from "../common";
+import { getAttributes } from "./_get_attributes";
+import { x509 } from "./_crypto";
+import { buildPublicKey } from "./_build_public_key";
+
+interface CreateCertificateSigningRequestOptions {
+    privateKey: CryptoKey;
+    notBefore?: Date;
+    notAfter?: Date;
+    validity?: number;
+    subject?: string;
+    dns?: string[];
+    ip?: string[];
+    applicationUri?: string;
+    purpose: CertificatePurpose;
+}
+export async function createCertificateSigningRequest({
+    privateKey,
+    subject,
+    dns,
+    ip,
+    applicationUri,
+    purpose,
+}: CreateCertificateSigningRequestOptions) {
+    const modulusLength = 2048;
+
+    const alg = {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: { name: "SHA-256" },
+        publicExponent: new Uint8Array([1, 0, 1]),
+        modulusLength,
+    };
+
+    const publicKey  = await buildPublicKey(privateKey);
+  
+    const keys = {
+        privateKey,
+        publicKey,
+    };
+
+    const alternativeNameExtensions: x509.JsonGeneralName[] = [];
+    dns && dns.forEach((d) => alternativeNameExtensions.push({ type: "dns", value: d }));
+    ip && ip.forEach((d) => alternativeNameExtensions.push({ type: "ip", value: d }));
+    applicationUri && alternativeNameExtensions.push({ type: "url", value: applicationUri });
+
+    const { basicConstraints, usages } = getAttributes(purpose);
+
+    const s = new Subject(subject || "");
+    const s1 = s.toStringInternal(", ");
+    const name = s1;
+
+    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+        name,
+        keys,
+        signingAlgorithm: alg,
+        extensions: [
+            basicConstraints,
+            new x509.KeyUsagesExtension(usages, true),
+            new x509.SubjectAlternativeNameExtension(alternativeNameExtensions),
+        ],
+    });
+    return { csr: csr.toString("pem"), der: csr };
+}

package/source/x509/create_key_pair.ts

@@ -0,0 +1,70 @@
+import * as x509 from "@peculiar/x509";
+import { Crypto } from "@peculiar/webcrypto";
+const crypto = new Crypto();
+x509.cryptoProvider.set(crypto);
+
+// ---------------------------------------------------------
+
+interface KeyAlgorithm {
+    name: string;
+}
+type KeyType = "private" | "public" | "secret";
+type KeyUsage = "decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey";
+
+/**
+ * The CryptoKey dictionary of the Web Crypto API represents a cryptographic key.
+ * Available only in secure contexts.
+ */
+interface CryptoKey {
+    readonly algorithm: KeyAlgorithm;
+    readonly extractable: boolean;
+    readonly type: KeyType;
+    readonly usages: KeyUsage[];
+}
+interface CryptoKeyPair {
+    privateKey: CryptoKey;
+    publicKey: CryptoKey;
+}
+
+// ---------------------------------------------------------
+
+export async function generateKeyPair(modulusLength: 1024 | 2048 | 3072 | 4096 = 2048): Promise<CryptoKeyPair> {
+    const alg: RsaHashedKeyGenParams = {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: { name: "SHA-256" },
+        publicExponent: new Uint8Array([1, 0, 1]),
+        modulusLength,
+    };
+    const keys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    return keys;
+}
+
+export async function generatePrivateKey(modulusLength: 1024 | 2048 | 3072 | 4096 = 2048): Promise<CryptoKey> {
+    return (await generateKeyPair(modulusLength)).privateKey;
+}
+
+export async function privateKeyToPEM(privateKey: CryptoKey) {
+    const privDer = await crypto.subtle.exportKey("pkcs8", privateKey);
+    const privPem = x509.PemConverter.encode(privDer, "PRIVATE KEY");
+    return { privPem, privDer };
+}
+
+export async function derToPrivateKey(privDer: ArrayBuffer): Promise<CryptoKey> {
+    return await crypto.subtle.importKey(
+        "pkcs8",
+        privDer,
+        {
+            name: "RSASSA-PKCS1-v1_5",
+            hash: { name: "SHA-256" },
+        },
+        true,
+        ["sign", "encrypt", "decrypt", "verify", "wrapKey", "unwrapKey", "deriveKey", "deriveBits"]
+    );
+}
+
+export async function pemToPrivateKey(pem: string): Promise<CryptoKey> {
+    // https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey
+    const privDer = x509.PemConverter.decode(pem);
+    return derToPrivateKey(privDer[0]);
+}

package/source/x509/create_self_signed_certificate.ts

@@ -0,0 +1,91 @@
+import { Subject } from "../subject";
+    import { CertificatePurpose } from "../common";
+import { x509 } from "./_crypto";
+import { getAttributes } from "./_get_attributes";
+import { buildPublicKey } from "./_build_public_key";
+
+export interface CreateSelfSignCertificateOptions {
+    privateKey: CryptoKey;
+    notBefore?: Date;
+    notAfter?: Date;
+    validity?: number;
+    // CN=common/O=Org/C=US/ST=State/L=City
+    subject?: string;
+    dns?: string[];
+    ip?: string[];
+    applicationUri?: string;
+    purpose: CertificatePurpose;
+}
+export async function createSelfSignedCertificate({
+    privateKey,
+    notAfter,
+    notBefore,
+    validity,
+    subject,
+    dns,
+    ip,
+    applicationUri,
+    purpose,
+}: CreateSelfSignCertificateOptions) {
+    
+     const publicKey = await buildPublicKey(privateKey);
+  
+    const keys = {
+        privateKey,
+        publicKey,
+    };
+
+    const { nsComment, basicConstraints, keyUsageExtension, usages } = getAttributes(purpose);
+
+    notBefore = notBefore || new Date();
+    validity = validity || 0;
+    if (!notAfter) {
+        validity = validity || 365;
+    }
+    notAfter = notAfter || new Date(notBefore.getTime() + validity * 24 * 60 * 60 * 1000);
+
+    const alternativeNameExtensions: x509.JsonGeneralName[] = [];
+    dns && dns.forEach((d) => alternativeNameExtensions.push({ type: "dns", value: d }));
+    ip && ip.forEach((d) => alternativeNameExtensions.push({ type: "ip", value: d }));
+    applicationUri && alternativeNameExtensions.push({ type: "url", value: applicationUri });
+
+    // https://opensource.apple.com/source/OpenSSH/OpenSSH-186/osslshim/heimdal-asn1/rfc2459.asn1.auto.html
+    const ID_NETSCAPE_COMMENT = "2.16.840.1.113730.1.13";
+
+    const s = new Subject(subject || "");
+    const s1 = s.toStringInternal(", ");
+    const name = s1;
+    // const issuer = s1;
+    /**
+     *  name: "CN=Test, O=Дом",
+     *  subject: "CN=Test, O=Дом",
+     *  issuer: "CN=Test, O=Дом",
+
+     */
+
+    //  const gg = new x509.GeneralNames(gga);
+    const cert = await x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: "01",
+        name,
+        // subject: s1,
+        // issuer,
+        notBefore,
+        notAfter,
+
+        signingAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } },
+
+        keys,
+
+        extensions: [
+            new x509.Extension(ID_NETSCAPE_COMMENT, false, Buffer.from(nsComment, "ascii")),
+            // new x509.BasicConstraintsExtension(true, 2, true),
+            basicConstraints,
+            new x509.ExtendedKeyUsageExtension(keyUsageExtension, true),
+            new x509.KeyUsagesExtension(usages, true),
+            await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
+            new x509.SubjectAlternativeNameExtension(alternativeNameExtensions),
+        ],
+    });
+
+    return { cert: cert.toString("pem"), der: cert };
+}