node-opcua-crypto 2.1.2 → 3.0.0-beta.0

package/dist/source/crypto_utils.js

@@ -1,330 +1,330 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.extractPublicKeyFromCertificate = exports.extractPublicKeyFromCertificateSync = exports.rsaLengthRsaPublicKey = exports.rsaLengthPublicKey = exports.rsaLengthPrivateKey = exports.coercePrivateKeyPem = exports.coercePrivateKey = exports.coerceRsaPublicKeyPem = exports.coercePublicKeyPem = exports.coerceCertificatePem = exports.privateDecrypt_long = exports.publicEncrypt_long = exports.privateDecrypt = exports.publicEncrypt = exports.privateDecrypt_native = exports.publicEncrypt_native = exports.PaddingAlgorithm = exports.RSA_PKCS1_PADDING = exports.RSA_PKCS1_OAEP_PADDING = exports.makeSHA1Thumbprint = exports.verifyMessageChunkSignature = exports.makeMessageChunkSignature = exports.hexDump = exports.toPem = exports.convertPEMtoDER = exports.identifyPemType = void 0;
-// tslint:disabled:no-var-requires
-/**
- * @module node_opcua_crypto
- */
-const constants = require("constants");
-const crypto = require("crypto");
-const buffer_utils_1 = require("./buffer_utils");
-const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
-const assert = require("assert");
-const hexy_1 = require("hexy");
-const jsrsasign = require("jsrsasign");
-const PEM_REGEX = /^(-----BEGIN (.*)-----\r?\n([/+=a-zA-Z0-9\r\n]*)\r?\n-----END \2-----\r?\n?)/gm;
-const PEM_TYPE_REGEX = /^(-----BEGIN (.*)-----)/m;
-// Copyright 2012 The Obvious Corporation.
-// identifyPemType
-/*=
- * Extract and identify the PEM file type represented in the given
- * buffer. Returns the extracted type string or undefined if the
- * buffer doesn't seem to be any sort of PEM format file.
- */
-function identifyPemType(rawKey) {
-    if (rawKey instanceof Buffer) {
-        rawKey = rawKey.toString("utf8");
-    }
-    const match = PEM_TYPE_REGEX.exec(rawKey);
-    return !match ? undefined : match[2];
-}
-exports.identifyPemType = identifyPemType;
-function convertPEMtoDER(raw_key) {
-    let match;
-    let pemType;
-    let base64str;
-    const parts = [];
-    PEM_REGEX.lastIndex = 0;
-    // tslint:disable-next-line:no-conditional-assignment
-    while ((match = PEM_REGEX.exec(raw_key)) !== null) {
-        pemType = match[2];
-        // pemType shall be "RSA PRIVATE KEY" , "PUBLIC KEY", "CERTIFICATE", "X509 CRL"
-        base64str = match[3];
-        base64str = base64str.replace(/\r?\n/g, "");
-        parts.push(Buffer.from(base64str, "base64"));
-    }
-    return (0, crypto_explore_certificate_1.combine_der)(parts);
-}
-exports.convertPEMtoDER = convertPEMtoDER;
-/**
- * @method toPem
- * @param raw_key
- * @param pem
- * @return
- */
-function toPem(raw_key, pem) {
-    assert(raw_key, "expecting a key");
-    assert(typeof pem === "string");
-    if (raw_key instanceof crypto.KeyObject) {
-        if (pem === "RSA PRIVATE KEY") {
-            return raw_key.export({ format: "pem", type: "pkcs1" }).toString();
-        }
-        else if (pem === "PRIVATE KEY") {
-            return raw_key.export({ format: "pem", type: "pkcs8" }).toString();
-        }
-        else {
-            throw new Error("Unsupported case!");
-        }
-    }
-    let pemType = identifyPemType(raw_key);
-    if (pemType) {
-        return raw_key instanceof Buffer ? raw_key.toString("utf8") : raw_key;
-    }
-    else {
-        pemType = pem;
-        assert(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
-        let b = raw_key.toString("base64");
-        let str = "-----BEGIN " + pemType + "-----\n";
-        while (b.length) {
-            str += b.substr(0, 64) + "\n";
-            b = b.substr(64);
-        }
-        str += "-----END " + pemType + "-----";
-        str += "\n";
-        return str;
-    }
-}
-exports.toPem = toPem;
-// istanbul ignore next
-function hexDump(buffer, width) {
-    if (!buffer) {
-        return "<>";
-    }
-    width = width || 32;
-    if (buffer.length > 1024) {
-        return (0, hexy_1.hexy)(buffer.subarray(0, 1024), { width, format: "twos" }) + "\n .... ( " + buffer.length + ")";
-    }
-    else {
-        return (0, hexy_1.hexy)(buffer, { width, format: "twos" });
-    }
-}
-exports.hexDump = hexDump;
-function makeMessageChunkSignature(chunk, options) {
-    // signature length = 128 bytes
-    const signer = crypto.createSign(options.algorithm);
-    signer.update(chunk);
-    const signature = signer.sign(options.privateKey);
-    assert(!options.signatureLength || signature.length === options.signatureLength);
-    return signature;
-}
-exports.makeMessageChunkSignature = makeMessageChunkSignature;
-/**
- * @method verifyMessageChunkSignature
- *
- *     const signer = {
- *           signatureLength : 128,
- *           algorithm : "RSA-SHA256",
- *           publicKey: "qsdqsdqsd"
- *     };
- * @param blockToVerify
- * @param signature
- * @param options
- * @param options.signatureLength
- * @param options.algorithm    for example "RSA-SHA256"
- * @param options.publicKey
- * @return true if the signature is valid
- */
-function verifyMessageChunkSignature(blockToVerify, signature, options) {
-    assert(blockToVerify instanceof Buffer);
-    assert(signature instanceof Buffer);
-    assert(typeof options.publicKey === "string");
-    assert(identifyPemType(options.publicKey));
-    const verify = crypto.createVerify(options.algorithm);
-    verify.update(blockToVerify);
-    return verify.verify(options.publicKey, signature);
-}
-exports.verifyMessageChunkSignature = verifyMessageChunkSignature;
-function makeSHA1Thumbprint(buffer) {
-    return crypto.createHash("sha1").update(buffer).digest();
-}
-exports.makeSHA1Thumbprint = makeSHA1Thumbprint;
-// Basically when you =encrypt something using an RSA key (whether public or private), the encrypted value must
-// be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key,
-// in theory you could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key.
-// However, the PKCS#1 standard, which OpenSSL uses, specifies a padding scheme (so you can encrypt smaller
-// quantities without losing security), and that padding scheme takes a minimum of 11 bytes (it will be longer
-// if the value you're encrypting is smaller). So the highest number of bits you can encrypt with a 1024-bit
-// key is 936 bits because of this (unless you disable the padding by adding the OPENSSL_NO_PADDING flag,
-// in which case you can go up to 1023-1024 bits). With a 2048-bit key it's 1960 bits instead.
-exports.RSA_PKCS1_OAEP_PADDING = constants.RSA_PKCS1_OAEP_PADDING;
-exports.RSA_PKCS1_PADDING = constants.RSA_PKCS1_PADDING;
-var PaddingAlgorithm;
-(function (PaddingAlgorithm) {
-    PaddingAlgorithm[PaddingAlgorithm["RSA_PKCS1_OAEP_PADDING"] = 4] = "RSA_PKCS1_OAEP_PADDING";
-    PaddingAlgorithm[PaddingAlgorithm["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
-})(PaddingAlgorithm = exports.PaddingAlgorithm || (exports.PaddingAlgorithm = {}));
-assert(PaddingAlgorithm.RSA_PKCS1_OAEP_PADDING === constants.RSA_PKCS1_OAEP_PADDING);
-assert(PaddingAlgorithm.RSA_PKCS1_PADDING === constants.RSA_PKCS1_PADDING);
-// publicEncrypt and  privateDecrypt only work with
-// small buffer that depends of the key size.
-function publicEncrypt_native(buffer, publicKey, algorithm) {
-    if (algorithm === undefined) {
-        algorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
-    }
-    assert(algorithm === exports.RSA_PKCS1_PADDING || algorithm === exports.RSA_PKCS1_OAEP_PADDING);
-    assert(buffer instanceof Buffer, "Expecting a buffer");
-    return crypto.publicEncrypt({
-        key: publicKey,
-        padding: algorithm,
-    }, buffer);
-}
-exports.publicEncrypt_native = publicEncrypt_native;
-function privateDecrypt_native(buffer, privateKey, algorithm) {
-    if (algorithm === undefined) {
-        algorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
-    }
-    assert(algorithm === exports.RSA_PKCS1_PADDING || algorithm === exports.RSA_PKCS1_OAEP_PADDING);
-    assert(buffer instanceof Buffer, "Expecting a buffer");
-    try {
-        return crypto.privateDecrypt({
-            key: privateKey,
-            padding: algorithm,
-        }, buffer);
-    }
-    catch (err) {
-        return Buffer.alloc(1);
-    }
-}
-exports.privateDecrypt_native = privateDecrypt_native;
-exports.publicEncrypt = publicEncrypt_native;
-exports.privateDecrypt = privateDecrypt_native;
-function publicEncrypt_long(buffer, publicKey, blockSize, padding, paddingAlgorithm) {
-    if (paddingAlgorithm === undefined) {
-        paddingAlgorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
-    }
-    if (paddingAlgorithm !== exports.RSA_PKCS1_PADDING && paddingAlgorithm !== exports.RSA_PKCS1_OAEP_PADDING) {
-        throw new Error("Invalid padding algorithm " + paddingAlgorithm);
-    }
-    const chunk_size = blockSize - padding;
-    const nbBlocks = Math.ceil(buffer.length / chunk_size);
-    const outputBuffer = (0, buffer_utils_1.createFastUninitializedBuffer)(nbBlocks * blockSize);
-    for (let i = 0; i < nbBlocks; i++) {
-        const currentBlock = buffer.subarray(chunk_size * i, chunk_size * (i + 1));
-        const encrypted_chunk = (0, exports.publicEncrypt)(currentBlock, publicKey, paddingAlgorithm);
-        // istanbul ignore next
-        if (encrypted_chunk.length !== blockSize) {
-            throw new Error(`publicEncrypt_long unexpected chunk length ${encrypted_chunk.length}  expecting ${blockSize}`);
-        }
-        encrypted_chunk.copy(outputBuffer, i * blockSize);
-    }
-    return outputBuffer;
-}
-exports.publicEncrypt_long = publicEncrypt_long;
-function privateDecrypt_long(buffer, privateKey, blockSize, paddingAlgorithm) {
-    paddingAlgorithm = paddingAlgorithm || exports.RSA_PKCS1_PADDING;
-    // istanbul ignore next
-    if (paddingAlgorithm !== exports.RSA_PKCS1_PADDING && paddingAlgorithm !== exports.RSA_PKCS1_OAEP_PADDING) {
-        throw new Error("Invalid padding algorithm " + paddingAlgorithm);
-    }
-    const nbBlocks = Math.ceil(buffer.length / blockSize);
-    const outputBuffer = (0, buffer_utils_1.createFastUninitializedBuffer)(nbBlocks * blockSize);
-    let total_length = 0;
-    for (let i = 0; i < nbBlocks; i++) {
-        const currentBlock = buffer.subarray(blockSize * i, Math.min(blockSize * (i + 1), buffer.length));
-        const decrypted_buf = (0, exports.privateDecrypt)(currentBlock, privateKey, paddingAlgorithm);
-        decrypted_buf.copy(outputBuffer, total_length);
-        total_length += decrypted_buf.length;
-    }
-    return outputBuffer.subarray(0, total_length);
-}
-exports.privateDecrypt_long = privateDecrypt_long;
-function coerceCertificatePem(certificate) {
-    if (certificate instanceof Buffer) {
-        certificate = toPem(certificate, "CERTIFICATE");
-    }
-    assert(typeof certificate === "string");
-    return certificate;
-}
-exports.coerceCertificatePem = coerceCertificatePem;
-function coercePublicKeyPem(publicKey) {
-    if (publicKey instanceof crypto.KeyObject) {
-        return publicKey.export({ format: "pem", type: "spki" }).toString();
-    }
-    assert(typeof publicKey === "string");
-    return publicKey;
-}
-exports.coercePublicKeyPem = coercePublicKeyPem;
-function coerceRsaPublicKeyPem(publicKey) {
-    if (publicKey instanceof crypto.KeyObject) {
-        return publicKey.export({ format: "pem", type: "spki" }).toString();
-    }
-    assert(typeof publicKey === "string");
-    return publicKey;
-}
-exports.coerceRsaPublicKeyPem = coerceRsaPublicKeyPem;
-function coercePrivateKey(privateKey) {
-    if (typeof privateKey === "string") {
-        return crypto.createPrivateKey(privateKey);
-    }
-    return privateKey;
-}
-exports.coercePrivateKey = coercePrivateKey;
-function coercePrivateKeyPem(privateKey) {
-    if (privateKey instanceof Buffer) {
-        const o = crypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs1" });
-        const e = o.export({ format: "der", type: "pkcs1" });
-        privateKey = toPem(e, "RSA PRIVATE KEY");
-    }
-    assert(typeof privateKey === "string");
-    return privateKey;
-}
-exports.coercePrivateKeyPem = coercePrivateKeyPem;
-/***
- * @method rsaLengthPrivateKey
- * A very expensive way to determine the rsa key length ( i.e 2048bits or 1024bits)
- * @param key  a PEM public key or a PEM rsa private key
- * @return the key length in bytes.
- */
-function rsaLengthPrivateKey(key) {
-    key = coercePrivateKey(key);
-    // in node 16 and above :
-    // return o.asymmetricKeyDetails.modulusLength/8
-    // in node <16 :
-    const key2 = key.export({ type: "pkcs1", format: "pem" }).toString();
-    const a = jsrsasign.KEYUTIL.getKey(key2);
-    return a.n.toString(16).length / 2;
-}
-exports.rsaLengthPrivateKey = rsaLengthPrivateKey;
-function rsaLengthPublicKey(key) {
-    key = coercePublicKeyPem(key);
-    assert(typeof key === "string");
-    const a = jsrsasign.KEYUTIL.getKey(key);
-    return a.n.toString(16).length / 2;
-}
-exports.rsaLengthPublicKey = rsaLengthPublicKey;
-function rsaLengthRsaPublicKey(key) {
-    key = coerceRsaPublicKeyPem(key);
-    assert(typeof key === "string");
-    const a = jsrsasign.KEYUTIL.getKey(key);
-    return a.n.toString(16).length / 2;
-}
-exports.rsaLengthRsaPublicKey = rsaLengthRsaPublicKey;
-function extractPublicKeyFromCertificateSync(certificate) {
-    certificate = coerceCertificatePem(certificate);
-    const key = jsrsasign.KEYUTIL.getKey(certificate);
-    const publicKeyAsPem = jsrsasign.KEYUTIL.getPEM(key);
-    assert(typeof publicKeyAsPem === "string");
-    return publicKeyAsPem;
-}
-exports.extractPublicKeyFromCertificateSync = extractPublicKeyFromCertificateSync;
-// https://github.com/kjur/jsrsasign/blob/master/x509-1.1.js
-// tool to analyse asn1 base64 blocks : http://lapo.it/asn1js
-/**
- * extract the publickey from a certificate
- * @async
- */
-function extractPublicKeyFromCertificate(certificate, callback) {
-    let err1 = null;
-    let keyPem;
-    try {
-        keyPem = extractPublicKeyFromCertificateSync(certificate);
-    }
-    catch (err) {
-        err1 = err;
-    }
-    setImmediate(() => {
-        callback(err1, keyPem);
-    });
-}
-exports.extractPublicKeyFromCertificate = extractPublicKeyFromCertificate;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractPublicKeyFromCertificate = exports.extractPublicKeyFromCertificateSync = exports.rsaLengthRsaPublicKey = exports.rsaLengthPublicKey = exports.rsaLengthPrivateKey = exports.coercePrivateKeyPem = exports.coercePrivateKey = exports.coerceRsaPublicKeyPem = exports.coercePublicKeyPem = exports.coerceCertificatePem = exports.privateDecrypt_long = exports.publicEncrypt_long = exports.privateDecrypt = exports.publicEncrypt = exports.privateDecrypt_native = exports.publicEncrypt_native = exports.PaddingAlgorithm = exports.RSA_PKCS1_PADDING = exports.RSA_PKCS1_OAEP_PADDING = exports.makeSHA1Thumbprint = exports.verifyMessageChunkSignature = exports.makeMessageChunkSignature = exports.hexDump = exports.toPem = exports.convertPEMtoDER = exports.identifyPemType = void 0;
+// tslint:disabled:no-var-requires
+/**
+ * @module node_opcua_crypto
+ */
+const constants = require("constants");
+const crypto = require("crypto");
+const buffer_utils_1 = require("./buffer_utils");
+const crypto_explore_certificate_1 = require("./crypto_explore_certificate");
+const assert = require("assert");
+const hexy_1 = require("hexy");
+const jsrsasign = require("jsrsasign");
+const PEM_REGEX = /^(-----BEGIN (.*)-----\r?\n([/+=a-zA-Z0-9\r\n]*)\r?\n-----END \2-----\r?\n?)/gm;
+const PEM_TYPE_REGEX = /^(-----BEGIN (.*)-----)/m;
+// Copyright 2012 The Obvious Corporation.
+// identifyPemType
+/*=
+ * Extract and identify the PEM file type represented in the given
+ * buffer. Returns the extracted type string or undefined if the
+ * buffer doesn't seem to be any sort of PEM format file.
+ */
+function identifyPemType(rawKey) {
+    if (rawKey instanceof Buffer) {
+        rawKey = rawKey.toString("utf8");
+    }
+    const match = PEM_TYPE_REGEX.exec(rawKey);
+    return !match ? undefined : match[2];
+}
+exports.identifyPemType = identifyPemType;
+function convertPEMtoDER(raw_key) {
+    let match;
+    let pemType;
+    let base64str;
+    const parts = [];
+    PEM_REGEX.lastIndex = 0;
+    // tslint:disable-next-line:no-conditional-assignment
+    while ((match = PEM_REGEX.exec(raw_key)) !== null) {
+        pemType = match[2];
+        // pemType shall be "RSA PRIVATE KEY" , "PUBLIC KEY", "CERTIFICATE", "X509 CRL"
+        base64str = match[3];
+        base64str = base64str.replace(/\r?\n/g, "");
+        parts.push(Buffer.from(base64str, "base64"));
+    }
+    return (0, crypto_explore_certificate_1.combine_der)(parts);
+}
+exports.convertPEMtoDER = convertPEMtoDER;
+/**
+ * @method toPem
+ * @param raw_key
+ * @param pem
+ * @return
+ */
+function toPem(raw_key, pem) {
+    assert(raw_key, "expecting a key");
+    assert(typeof pem === "string");
+    if (raw_key instanceof crypto.KeyObject) {
+        if (pem === "RSA PRIVATE KEY") {
+            return raw_key.export({ format: "pem", type: "pkcs1" }).toString();
+        }
+        else if (pem === "PRIVATE KEY") {
+            return raw_key.export({ format: "pem", type: "pkcs8" }).toString();
+        }
+        else {
+            throw new Error("Unsupported case!");
+        }
+    }
+    let pemType = identifyPemType(raw_key);
+    if (pemType) {
+        return raw_key instanceof Buffer ? raw_key.toString("utf8") : raw_key;
+    }
+    else {
+        pemType = pem;
+        assert(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
+        let b = raw_key.toString("base64");
+        let str = "-----BEGIN " + pemType + "-----\n";
+        while (b.length) {
+            str += b.substr(0, 64) + "\n";
+            b = b.substr(64);
+        }
+        str += "-----END " + pemType + "-----";
+        str += "\n";
+        return str;
+    }
+}
+exports.toPem = toPem;
+// istanbul ignore next
+function hexDump(buffer, width) {
+    if (!buffer) {
+        return "<>";
+    }
+    width = width || 32;
+    if (buffer.length > 1024) {
+        return (0, hexy_1.hexy)(buffer.subarray(0, 1024), { width, format: "twos" }) + "\n .... ( " + buffer.length + ")";
+    }
+    else {
+        return (0, hexy_1.hexy)(buffer, { width, format: "twos" });
+    }
+}
+exports.hexDump = hexDump;
+function makeMessageChunkSignature(chunk, options) {
+    // signature length = 128 bytes
+    const signer = crypto.createSign(options.algorithm);
+    signer.update(chunk);
+    const signature = signer.sign(options.privateKey);
+    assert(!options.signatureLength || signature.length === options.signatureLength);
+    return signature;
+}
+exports.makeMessageChunkSignature = makeMessageChunkSignature;
+/**
+ * @method verifyMessageChunkSignature
+ *
+ *     const signer = {
+ *           signatureLength : 128,
+ *           algorithm : "RSA-SHA256",
+ *           publicKey: "qsdqsdqsd"
+ *     };
+ * @param blockToVerify
+ * @param signature
+ * @param options
+ * @param options.signatureLength
+ * @param options.algorithm    for example "RSA-SHA256"
+ * @param options.publicKey
+ * @return true if the signature is valid
+ */
+function verifyMessageChunkSignature(blockToVerify, signature, options) {
+    assert(blockToVerify instanceof Buffer);
+    assert(signature instanceof Buffer);
+    assert(typeof options.publicKey === "string");
+    assert(identifyPemType(options.publicKey));
+    const verify = crypto.createVerify(options.algorithm);
+    verify.update(blockToVerify);
+    return verify.verify(options.publicKey, signature);
+}
+exports.verifyMessageChunkSignature = verifyMessageChunkSignature;
+function makeSHA1Thumbprint(buffer) {
+    return crypto.createHash("sha1").update(buffer).digest();
+}
+exports.makeSHA1Thumbprint = makeSHA1Thumbprint;
+// Basically when you =encrypt something using an RSA key (whether public or private), the encrypted value must
+// be smaller than the key (due to the maths used to do the actual encryption). So if you have a 1024-bit key,
+// in theory you could encrypt any 1023-bit value (or a 1024-bit value smaller than the key) with that key.
+// However, the PKCS#1 standard, which OpenSSL uses, specifies a padding scheme (so you can encrypt smaller
+// quantities without losing security), and that padding scheme takes a minimum of 11 bytes (it will be longer
+// if the value you're encrypting is smaller). So the highest number of bits you can encrypt with a 1024-bit
+// key is 936 bits because of this (unless you disable the padding by adding the OPENSSL_NO_PADDING flag,
+// in which case you can go up to 1023-1024 bits). With a 2048-bit key it's 1960 bits instead.
+exports.RSA_PKCS1_OAEP_PADDING = constants.RSA_PKCS1_OAEP_PADDING;
+exports.RSA_PKCS1_PADDING = constants.RSA_PKCS1_PADDING;
+var PaddingAlgorithm;
+(function (PaddingAlgorithm) {
+    PaddingAlgorithm[PaddingAlgorithm["RSA_PKCS1_OAEP_PADDING"] = 4] = "RSA_PKCS1_OAEP_PADDING";
+    PaddingAlgorithm[PaddingAlgorithm["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
+})(PaddingAlgorithm = exports.PaddingAlgorithm || (exports.PaddingAlgorithm = {}));
+assert(PaddingAlgorithm.RSA_PKCS1_OAEP_PADDING === constants.RSA_PKCS1_OAEP_PADDING);
+assert(PaddingAlgorithm.RSA_PKCS1_PADDING === constants.RSA_PKCS1_PADDING);
+// publicEncrypt and  privateDecrypt only work with
+// small buffer that depends of the key size.
+function publicEncrypt_native(buffer, publicKey, algorithm) {
+    if (algorithm === undefined) {
+        algorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
+    }
+    assert(algorithm === exports.RSA_PKCS1_PADDING || algorithm === exports.RSA_PKCS1_OAEP_PADDING);
+    assert(buffer instanceof Buffer, "Expecting a buffer");
+    return crypto.publicEncrypt({
+        key: publicKey,
+        padding: algorithm,
+    }, buffer);
+}
+exports.publicEncrypt_native = publicEncrypt_native;
+function privateDecrypt_native(buffer, privateKey, algorithm) {
+    if (algorithm === undefined) {
+        algorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
+    }
+    assert(algorithm === exports.RSA_PKCS1_PADDING || algorithm === exports.RSA_PKCS1_OAEP_PADDING);
+    assert(buffer instanceof Buffer, "Expecting a buffer");
+    try {
+        return crypto.privateDecrypt({
+            key: privateKey,
+            padding: algorithm,
+        }, buffer);
+    }
+    catch (err) {
+        return Buffer.alloc(1);
+    }
+}
+exports.privateDecrypt_native = privateDecrypt_native;
+exports.publicEncrypt = publicEncrypt_native;
+exports.privateDecrypt = privateDecrypt_native;
+function publicEncrypt_long(buffer, publicKey, blockSize, padding, paddingAlgorithm) {
+    if (paddingAlgorithm === undefined) {
+        paddingAlgorithm = PaddingAlgorithm.RSA_PKCS1_PADDING;
+    }
+    if (paddingAlgorithm !== exports.RSA_PKCS1_PADDING && paddingAlgorithm !== exports.RSA_PKCS1_OAEP_PADDING) {
+        throw new Error("Invalid padding algorithm " + paddingAlgorithm);
+    }
+    const chunk_size = blockSize - padding;
+    const nbBlocks = Math.ceil(buffer.length / chunk_size);
+    const outputBuffer = (0, buffer_utils_1.createFastUninitializedBuffer)(nbBlocks * blockSize);
+    for (let i = 0; i < nbBlocks; i++) {
+        const currentBlock = buffer.subarray(chunk_size * i, chunk_size * (i + 1));
+        const encrypted_chunk = (0, exports.publicEncrypt)(currentBlock, publicKey, paddingAlgorithm);
+        // istanbul ignore next
+        if (encrypted_chunk.length !== blockSize) {
+            throw new Error(`publicEncrypt_long unexpected chunk length ${encrypted_chunk.length}  expecting ${blockSize}`);
+        }
+        encrypted_chunk.copy(outputBuffer, i * blockSize);
+    }
+    return outputBuffer;
+}
+exports.publicEncrypt_long = publicEncrypt_long;
+function privateDecrypt_long(buffer, privateKey, blockSize, paddingAlgorithm) {
+    paddingAlgorithm = paddingAlgorithm || exports.RSA_PKCS1_PADDING;
+    // istanbul ignore next
+    if (paddingAlgorithm !== exports.RSA_PKCS1_PADDING && paddingAlgorithm !== exports.RSA_PKCS1_OAEP_PADDING) {
+        throw new Error("Invalid padding algorithm " + paddingAlgorithm);
+    }
+    const nbBlocks = Math.ceil(buffer.length / blockSize);
+    const outputBuffer = (0, buffer_utils_1.createFastUninitializedBuffer)(nbBlocks * blockSize);
+    let total_length = 0;
+    for (let i = 0; i < nbBlocks; i++) {
+        const currentBlock = buffer.subarray(blockSize * i, Math.min(blockSize * (i + 1), buffer.length));
+        const decrypted_buf = (0, exports.privateDecrypt)(currentBlock, privateKey, paddingAlgorithm);
+        decrypted_buf.copy(outputBuffer, total_length);
+        total_length += decrypted_buf.length;
+    }
+    return outputBuffer.subarray(0, total_length);
+}
+exports.privateDecrypt_long = privateDecrypt_long;
+function coerceCertificatePem(certificate) {
+    if (certificate instanceof Buffer) {
+        certificate = toPem(certificate, "CERTIFICATE");
+    }
+    assert(typeof certificate === "string");
+    return certificate;
+}
+exports.coerceCertificatePem = coerceCertificatePem;
+function coercePublicKeyPem(publicKey) {
+    if (publicKey instanceof crypto.KeyObject) {
+        return publicKey.export({ format: "pem", type: "spki" }).toString();
+    }
+    assert(typeof publicKey === "string");
+    return publicKey;
+}
+exports.coercePublicKeyPem = coercePublicKeyPem;
+function coerceRsaPublicKeyPem(publicKey) {
+    if (publicKey instanceof crypto.KeyObject) {
+        return publicKey.export({ format: "pem", type: "spki" }).toString();
+    }
+    assert(typeof publicKey === "string");
+    return publicKey;
+}
+exports.coerceRsaPublicKeyPem = coerceRsaPublicKeyPem;
+function coercePrivateKey(privateKey) {
+    if (typeof privateKey === "string") {
+        return crypto.createPrivateKey(privateKey);
+    }
+    return privateKey;
+}
+exports.coercePrivateKey = coercePrivateKey;
+function coercePrivateKeyPem(privateKey) {
+    if (privateKey instanceof Buffer) {
+        const o = crypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs1" });
+        const e = o.export({ format: "der", type: "pkcs1" });
+        privateKey = toPem(e, "RSA PRIVATE KEY");
+    }
+    assert(typeof privateKey === "string");
+    return privateKey;
+}
+exports.coercePrivateKeyPem = coercePrivateKeyPem;
+/***
+ * @method rsaLengthPrivateKey
+ * A very expensive way to determine the rsa key length ( i.e 2048bits or 1024bits)
+ * @param key  a PEM public key or a PEM rsa private key
+ * @return the key length in bytes.
+ */
+function rsaLengthPrivateKey(key) {
+    key = coercePrivateKey(key);
+    // in node 16 and above :
+    // return o.asymmetricKeyDetails.modulusLength/8
+    // in node <16 :
+    const key2 = key.export({ type: "pkcs1", format: "pem" }).toString();
+    const a = jsrsasign.KEYUTIL.getKey(key2);
+    return a.n.toString(16).length / 2;
+}
+exports.rsaLengthPrivateKey = rsaLengthPrivateKey;
+function rsaLengthPublicKey(key) {
+    key = coercePublicKeyPem(key);
+    assert(typeof key === "string");
+    const a = jsrsasign.KEYUTIL.getKey(key);
+    return a.n.toString(16).length / 2;
+}
+exports.rsaLengthPublicKey = rsaLengthPublicKey;
+function rsaLengthRsaPublicKey(key) {
+    key = coerceRsaPublicKeyPem(key);
+    assert(typeof key === "string");
+    const a = jsrsasign.KEYUTIL.getKey(key);
+    return a.n.toString(16).length / 2;
+}
+exports.rsaLengthRsaPublicKey = rsaLengthRsaPublicKey;
+function extractPublicKeyFromCertificateSync(certificate) {
+    certificate = coerceCertificatePem(certificate);
+    const key = jsrsasign.KEYUTIL.getKey(certificate);
+    const publicKeyAsPem = jsrsasign.KEYUTIL.getPEM(key);
+    assert(typeof publicKeyAsPem === "string");
+    return publicKeyAsPem;
+}
+exports.extractPublicKeyFromCertificateSync = extractPublicKeyFromCertificateSync;
+// https://github.com/kjur/jsrsasign/blob/master/x509-1.1.js
+// tool to analyse asn1 base64 blocks : http://lapo.it/asn1js
+/**
+ * extract the publickey from a certificate
+ * @async
+ */
+function extractPublicKeyFromCertificate(certificate, callback) {
+    let err1 = null;
+    let keyPem;
+    try {
+        keyPem = extractPublicKeyFromCertificateSync(certificate);
+    }
+    catch (err) {
+        err1 = err;
+    }
+    setImmediate(() => {
+        callback(err1, keyPem);
+    });
+}
+exports.extractPublicKeyFromCertificate = extractPublicKeyFromCertificate;
 //# sourceMappingURL=crypto_utils.js.map