node-opcua-crypto 4.10.0 → 4.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -4
- package/dist/{chunk-GNEWUC7X.mjs → chunk-AXAFLVME.mjs} +9 -15
- package/dist/chunk-AXAFLVME.mjs.map +1 -0
- package/dist/{chunk-46EEAYVO.mjs → chunk-LHUQUHQQ.mjs} +845 -829
- package/dist/chunk-LHUQUHQQ.mjs.map +1 -0
- package/dist/chunk-RQA4DO2Z.mjs +1 -0
- package/dist/index.d.mts +2 -3
- package/dist/index.d.ts +2 -3
- package/dist/index.js +658 -701
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +9 -56
- package/dist/source/index.d.mts +1 -5
- package/dist/source/index.d.ts +1 -5
- package/dist/source/index.js +622 -658
- package/dist/source/index.js.map +1 -1
- package/dist/source/index.mjs +9 -54
- package/dist/source/index_web.d.mts +224 -234
- package/dist/source/index_web.d.ts +224 -234
- package/dist/source/index_web.js +650 -657
- package/dist/source/index_web.js.map +1 -1
- package/dist/source/index_web.mjs +9 -51
- package/dist/source_nodejs/index.d.mts +1 -2
- package/dist/source_nodejs/index.d.ts +1 -2
- package/dist/source_nodejs/index.js +46 -50
- package/dist/source_nodejs/index.js.map +1 -1
- package/dist/source_nodejs/index.mjs +3 -5
- package/package.json +9 -4
- package/dist/chunk-46EEAYVO.mjs.map +0 -1
- package/dist/chunk-GNEWUC7X.mjs.map +0 -1
- package/dist/chunk-VI4S2NM5.mjs +0 -38
- package/dist/chunk-VI4S2NM5.mjs.map +0 -1
- package/dist/index_web.d.mts +0 -5
- package/dist/index_web.d.ts +0 -5
- package/dist/index_web.js +0 -6414
- package/dist/index_web.js.map +0 -1
- package/dist/index_web.mjs +0 -195
- package/index.mjs +0 -1
- package/index_web.ts +0 -1
- package/web.d.ts +0 -1
- package/web.mjs +0 -1
- /package/dist/{index_web.mjs.map → chunk-RQA4DO2Z.mjs.map} +0 -0
package/dist/source/index.js
CHANGED
|
@@ -35,28 +35,8 @@ __export(source_exports, {
|
|
|
35
35
|
RSA_PKCS1_OAEP_PADDING: () => RSA_PKCS1_OAEP_PADDING,
|
|
36
36
|
RSA_PKCS1_PADDING: () => RSA_PKCS1_PADDING,
|
|
37
37
|
Subject: () => Subject,
|
|
38
|
-
TagType: () => TagType,
|
|
39
38
|
_coercePrivateKey: () => _coercePrivateKey,
|
|
40
|
-
|
|
41
|
-
_getBlock: () => _getBlock,
|
|
42
|
-
_readAlgorithmIdentifier: () => _readAlgorithmIdentifier,
|
|
43
|
-
_readBitString: () => _readBitString,
|
|
44
|
-
_readBooleanValue: () => _readBooleanValue,
|
|
45
|
-
_readDirectoryName: () => _readDirectoryName,
|
|
46
|
-
_readECCAlgorithmIdentifier: () => _readECCAlgorithmIdentifier,
|
|
47
|
-
_readExtension: () => _readExtension,
|
|
48
|
-
_readIntegerAsByteString: () => _readIntegerAsByteString,
|
|
49
|
-
_readIntegerValue: () => _readIntegerValue,
|
|
50
|
-
_readListOfInteger: () => _readListOfInteger,
|
|
51
|
-
_readLongIntegerValue: () => _readLongIntegerValue,
|
|
52
|
-
_readObjectIdentifier: () => _readObjectIdentifier,
|
|
53
|
-
_readOctetString: () => _readOctetString,
|
|
54
|
-
_readSignatureValue: () => _readSignatureValue,
|
|
55
|
-
_readSignatureValueBin: () => _readSignatureValueBin,
|
|
56
|
-
_readStruct: () => _readStruct,
|
|
57
|
-
_readTime: () => _readTime,
|
|
58
|
-
_readValue: () => _readValue,
|
|
59
|
-
_readVersionValue: () => _readVersionValue,
|
|
39
|
+
asn1: () => asn1,
|
|
60
40
|
certificateMatchesPrivateKey: () => certificateMatchesPrivateKey,
|
|
61
41
|
coerceCertificate: () => coerceCertificate,
|
|
62
42
|
coerceCertificatePem: () => coerceCertificatePem,
|
|
@@ -65,7 +45,6 @@ __export(source_exports, {
|
|
|
65
45
|
coercePublicKeyPem: () => coercePublicKeyPem,
|
|
66
46
|
coerceRsaPublicKeyPem: () => coerceRsaPublicKeyPem,
|
|
67
47
|
combine_der: () => combine_der,
|
|
68
|
-
compactDirectoryName: () => compactDirectoryName,
|
|
69
48
|
computeDerivedKeys: () => computeDerivedKeys,
|
|
70
49
|
computePaddingFooter: () => computePaddingFooter,
|
|
71
50
|
convertPEMtoDER: () => convertPEMtoDER,
|
|
@@ -83,7 +62,6 @@ __export(source_exports, {
|
|
|
83
62
|
explorePrivateKey: () => explorePrivateKey,
|
|
84
63
|
extractPublicKeyFromCertificate: () => extractPublicKeyFromCertificate,
|
|
85
64
|
extractPublicKeyFromCertificateSync: () => extractPublicKeyFromCertificateSync,
|
|
86
|
-
formatBuffer2DigitHexWithColum: () => formatBuffer2DigitHexWithColum,
|
|
87
65
|
generateKeyPair: () => generateKeyPair,
|
|
88
66
|
generatePrivateKey: () => generatePrivateKey,
|
|
89
67
|
hexDump: () => hexDump,
|
|
@@ -92,9 +70,9 @@ __export(source_exports, {
|
|
|
92
70
|
makeMessageChunkSignature: () => makeMessageChunkSignature,
|
|
93
71
|
makeMessageChunkSignatureWithDerivedKeys: () => makeMessageChunkSignatureWithDerivedKeys,
|
|
94
72
|
makePrivateKeyFromPem: () => makePrivateKeyFromPem,
|
|
73
|
+
makePrivateKeyThumbPrint: () => makePrivateKeyThumbPrint,
|
|
95
74
|
makePseudoRandomBuffer: () => makePseudoRandomBuffer,
|
|
96
75
|
makeSHA1Thumbprint: () => makeSHA1Thumbprint,
|
|
97
|
-
parseBitString: () => parseBitString,
|
|
98
76
|
pemToPrivateKey: () => pemToPrivateKey,
|
|
99
77
|
privateDecrypt: () => privateDecrypt,
|
|
100
78
|
privateDecrypt_long: () => privateDecrypt_long,
|
|
@@ -105,8 +83,8 @@ __export(source_exports, {
|
|
|
105
83
|
publicEncrypt_native: () => publicEncrypt_native,
|
|
106
84
|
publicKeyAndPrivateKeyMatches: () => publicKeyAndPrivateKeyMatches,
|
|
107
85
|
readCertificationRequestInfo: () => readCertificationRequestInfo,
|
|
86
|
+
readExtension: () => readExtension,
|
|
108
87
|
readNameForCrl: () => readNameForCrl,
|
|
109
|
-
readTag: () => readTag,
|
|
110
88
|
readTbsCertificate: () => readTbsCertificate,
|
|
111
89
|
reduceLength: () => reduceLength,
|
|
112
90
|
removePadding: () => removePadding,
|
|
@@ -127,42 +105,6 @@ __export(source_exports, {
|
|
|
127
105
|
});
|
|
128
106
|
module.exports = __toCommonJS(source_exports);
|
|
129
107
|
|
|
130
|
-
// source/common.ts
|
|
131
|
-
var import_crypto = __toESM(require("crypto"));
|
|
132
|
-
var KeyObjectOrig = import_crypto.default.KeyObject;
|
|
133
|
-
var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = import_crypto.default;
|
|
134
|
-
function isKeyObject(mayBeKeyObject) {
|
|
135
|
-
if (KeyObjectOrig) {
|
|
136
|
-
return mayBeKeyObject instanceof KeyObjectOrig;
|
|
137
|
-
}
|
|
138
|
-
return typeof mayBeKeyObject === "object" && typeof mayBeKeyObject.type === "string";
|
|
139
|
-
}
|
|
140
|
-
var CertificatePurpose = /* @__PURE__ */ ((CertificatePurpose2) => {
|
|
141
|
-
CertificatePurpose2[CertificatePurpose2["NotSpecified"] = 0] = "NotSpecified";
|
|
142
|
-
CertificatePurpose2[CertificatePurpose2["ForCertificateAuthority"] = 1] = "ForCertificateAuthority";
|
|
143
|
-
CertificatePurpose2[CertificatePurpose2["ForApplication"] = 2] = "ForApplication";
|
|
144
|
-
CertificatePurpose2[CertificatePurpose2["ForUserAuthentication"] = 3] = "ForUserAuthentication";
|
|
145
|
-
return CertificatePurpose2;
|
|
146
|
-
})(CertificatePurpose || {});
|
|
147
|
-
|
|
148
|
-
// source/derived_keys.ts
|
|
149
|
-
var import_assert5 = __toESM(require("assert"));
|
|
150
|
-
var import_crypto3 = require("crypto");
|
|
151
|
-
|
|
152
|
-
// source/buffer_utils.ts
|
|
153
|
-
var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (size) => {
|
|
154
|
-
return new Buffer(size);
|
|
155
|
-
};
|
|
156
|
-
|
|
157
|
-
// source/crypto_utils.ts
|
|
158
|
-
var import_constants = __toESM(require("constants"));
|
|
159
|
-
var import_assert3 = __toESM(require("assert"));
|
|
160
|
-
var import_crypto2 = require("crypto");
|
|
161
|
-
var import_hexy = __toESM(require("hexy"));
|
|
162
|
-
|
|
163
|
-
// source/crypto_explore_certificate.ts
|
|
164
|
-
var import_assert2 = __toESM(require("assert"));
|
|
165
|
-
|
|
166
108
|
// source/asn1.ts
|
|
167
109
|
var import_assert = __toESM(require("assert"));
|
|
168
110
|
|
|
@@ -469,33 +411,33 @@ var oid_map = {
|
|
|
469
411
|
};
|
|
470
412
|
|
|
471
413
|
// source/asn1.ts
|
|
472
|
-
var TagType = /* @__PURE__ */ ((
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
|
|
482
|
-
|
|
483
|
-
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
|
|
488
|
-
|
|
489
|
-
|
|
490
|
-
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
return
|
|
414
|
+
var TagType = /* @__PURE__ */ ((TagType2) => {
|
|
415
|
+
TagType2[TagType2["BOOLEAN"] = 1] = "BOOLEAN";
|
|
416
|
+
TagType2[TagType2["INTEGER"] = 2] = "INTEGER";
|
|
417
|
+
TagType2[TagType2["BIT_STRING"] = 3] = "BIT_STRING";
|
|
418
|
+
TagType2[TagType2["OCTET_STRING"] = 4] = "OCTET_STRING";
|
|
419
|
+
TagType2[TagType2["NULL"] = 5] = "NULL";
|
|
420
|
+
TagType2[TagType2["OBJECT_IDENTIFIER"] = 6] = "OBJECT_IDENTIFIER";
|
|
421
|
+
TagType2[TagType2["UTF8String"] = 12] = "UTF8String";
|
|
422
|
+
TagType2[TagType2["NumericString"] = 18] = "NumericString";
|
|
423
|
+
TagType2[TagType2["PrintableString"] = 19] = "PrintableString";
|
|
424
|
+
TagType2[TagType2["TeletexString"] = 20] = "TeletexString";
|
|
425
|
+
TagType2[TagType2["IA5String"] = 22] = "IA5String";
|
|
426
|
+
TagType2[TagType2["UTCTime"] = 23] = "UTCTime";
|
|
427
|
+
TagType2[TagType2["GeneralizedTime"] = 24] = "GeneralizedTime";
|
|
428
|
+
TagType2[TagType2["GraphicString"] = 25] = "GraphicString";
|
|
429
|
+
TagType2[TagType2["VisibleString"] = 26] = "VisibleString";
|
|
430
|
+
TagType2[TagType2["GeneralString"] = 27] = "GeneralString";
|
|
431
|
+
TagType2[TagType2["UniversalString"] = 28] = "UniversalString";
|
|
432
|
+
TagType2[TagType2["BMPString"] = 30] = "BMPString";
|
|
433
|
+
TagType2[TagType2["SEQUENCE"] = 48] = "SEQUENCE";
|
|
434
|
+
TagType2[TagType2["SET"] = 49] = "SET";
|
|
435
|
+
TagType2[TagType2["CONTEXT_SPECIFIC0"] = 160] = "CONTEXT_SPECIFIC0";
|
|
436
|
+
TagType2[TagType2["CONTEXT_SPECIFIC1"] = 161] = "CONTEXT_SPECIFIC1";
|
|
437
|
+
TagType2[TagType2["CONTEXT_SPECIFIC2"] = 162] = "CONTEXT_SPECIFIC2";
|
|
438
|
+
TagType2[TagType2["CONTEXT_SPECIFIC3"] = 163] = "CONTEXT_SPECIFIC3";
|
|
439
|
+
TagType2[TagType2["A4"] = 164] = "A4";
|
|
440
|
+
return TagType2;
|
|
499
441
|
})(TagType || {});
|
|
500
442
|
function readTag(buf, pos) {
|
|
501
443
|
const start = pos;
|
|
@@ -516,7 +458,7 @@ function readTag(buf, pos) {
|
|
|
516
458
|
}
|
|
517
459
|
return { start, tag, position: pos, length };
|
|
518
460
|
}
|
|
519
|
-
function
|
|
461
|
+
function readStruct(buf, blockInfo) {
|
|
520
462
|
const length = blockInfo.length;
|
|
521
463
|
let cursor = blockInfo.position;
|
|
522
464
|
const end = blockInfo.position + length;
|
|
@@ -541,9 +483,9 @@ function parseBitString(buffer, start, end, maxLength) {
|
|
|
541
483
|
}
|
|
542
484
|
return intro + s;
|
|
543
485
|
}
|
|
544
|
-
function
|
|
486
|
+
function readBitString(buffer, block) {
|
|
545
487
|
(0, import_assert.default)(block.tag === 3 /* BIT_STRING */);
|
|
546
|
-
const data =
|
|
488
|
+
const data = getBlock(buffer, block);
|
|
547
489
|
const ignore_bits = data.readUInt8(0);
|
|
548
490
|
return {
|
|
549
491
|
lengthInBits: data.length * 8 - ignore_bits,
|
|
@@ -559,7 +501,7 @@ function formatBuffer2DigitHexWithColum(buffer) {
|
|
|
559
501
|
}
|
|
560
502
|
return value.join(":").toUpperCase().replace(/^(00:)*/, "");
|
|
561
503
|
}
|
|
562
|
-
function
|
|
504
|
+
function readOctetString(buffer, block) {
|
|
563
505
|
(0, import_assert.default)(block.tag === 4 /* OCTET_STRING */);
|
|
564
506
|
const tag = readTag(buffer, block.position);
|
|
565
507
|
(0, import_assert.default)(tag.tag === 4 /* OCTET_STRING */);
|
|
@@ -568,19 +510,19 @@ function _readOctetString(buffer, block) {
|
|
|
568
510
|
const b = buffer.subarray(pos, pos + nbBytes);
|
|
569
511
|
return b;
|
|
570
512
|
}
|
|
571
|
-
function
|
|
513
|
+
function getBlock(buffer, block) {
|
|
572
514
|
const start = block.position;
|
|
573
515
|
const end = block.position + block.length;
|
|
574
516
|
return buffer.subarray(start, end);
|
|
575
517
|
}
|
|
576
|
-
function
|
|
577
|
-
return
|
|
518
|
+
function readIntegerAsByteString(buffer, block) {
|
|
519
|
+
return getBlock(buffer, block);
|
|
578
520
|
}
|
|
579
|
-
function
|
|
521
|
+
function readListOfInteger(buffer) {
|
|
580
522
|
const block = readTag(buffer, 0);
|
|
581
|
-
const inner_blocks =
|
|
523
|
+
const inner_blocks = readStruct(buffer, block);
|
|
582
524
|
return inner_blocks.map((innerBlock) => {
|
|
583
|
-
return
|
|
525
|
+
return readIntegerAsByteString(buffer, innerBlock);
|
|
584
526
|
});
|
|
585
527
|
}
|
|
586
528
|
function parseOID(buffer, start, end) {
|
|
@@ -603,7 +545,7 @@ function parseOID(buffer, start, end) {
|
|
|
603
545
|
(0, import_assert.default)(bits === 0);
|
|
604
546
|
return s;
|
|
605
547
|
}
|
|
606
|
-
function
|
|
548
|
+
function readObjectIdentifier(buffer, block) {
|
|
607
549
|
(0, import_assert.default)(block.tag === 6 /* OBJECT_IDENTIFIER */);
|
|
608
550
|
const b = buffer.subarray(block.position, block.position + block.length);
|
|
609
551
|
const oid = parseOID(b, 0, block.length);
|
|
@@ -612,33 +554,33 @@ function _readObjectIdentifier(buffer, block) {
|
|
|
612
554
|
name: oid_map[oid] ? oid_map[oid].d : oid
|
|
613
555
|
};
|
|
614
556
|
}
|
|
615
|
-
function
|
|
616
|
-
const inner_blocks =
|
|
557
|
+
function readAlgorithmIdentifier(buffer, block) {
|
|
558
|
+
const inner_blocks = readStruct(buffer, block);
|
|
617
559
|
return {
|
|
618
|
-
identifier:
|
|
560
|
+
identifier: readObjectIdentifier(buffer, inner_blocks[0]).name
|
|
619
561
|
};
|
|
620
562
|
}
|
|
621
|
-
function
|
|
622
|
-
const inner_blocks =
|
|
563
|
+
function readECCAlgorithmIdentifier(buffer, block) {
|
|
564
|
+
const inner_blocks = readStruct(buffer, block);
|
|
623
565
|
return {
|
|
624
|
-
identifier:
|
|
566
|
+
identifier: readObjectIdentifier(buffer, inner_blocks[1]).name
|
|
625
567
|
// difference with RSA as algorithm is second element of nested block
|
|
626
568
|
};
|
|
627
569
|
}
|
|
628
|
-
function
|
|
629
|
-
return
|
|
570
|
+
function readSignatureValueBin(buffer, block) {
|
|
571
|
+
return readBitString(buffer, block).data;
|
|
630
572
|
}
|
|
631
|
-
function
|
|
632
|
-
return
|
|
573
|
+
function readSignatureValue(buffer, block) {
|
|
574
|
+
return readSignatureValueBin(buffer, block).toString("hex");
|
|
633
575
|
}
|
|
634
|
-
function
|
|
576
|
+
function readLongIntegerValue(buffer, block) {
|
|
635
577
|
(0, import_assert.default)(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
|
|
636
578
|
const pos = block.position;
|
|
637
579
|
const nbBytes = block.length;
|
|
638
580
|
const buf = buffer.subarray(pos, pos + nbBytes);
|
|
639
581
|
return buf;
|
|
640
582
|
}
|
|
641
|
-
function
|
|
583
|
+
function readIntegerValue(buffer, block) {
|
|
642
584
|
(0, import_assert.default)(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
|
|
643
585
|
let pos = block.position;
|
|
644
586
|
const nbBytes = block.length;
|
|
@@ -650,7 +592,7 @@ function _readIntegerValue(buffer, block) {
|
|
|
650
592
|
}
|
|
651
593
|
return value;
|
|
652
594
|
}
|
|
653
|
-
function
|
|
595
|
+
function readBooleanValue(buffer, block) {
|
|
654
596
|
(0, import_assert.default)(block.tag === 1 /* BOOLEAN */, "expecting a BOOLEAN tag. got " + TagType[block.tag]);
|
|
655
597
|
const pos = block.position;
|
|
656
598
|
const nbBytes = block.length;
|
|
@@ -658,9 +600,9 @@ function _readBooleanValue(buffer, block) {
|
|
|
658
600
|
const value = buffer.readUInt8(pos) ? true : false;
|
|
659
601
|
return value;
|
|
660
602
|
}
|
|
661
|
-
function
|
|
603
|
+
function readVersionValue(buffer, block) {
|
|
662
604
|
block = readTag(buffer, block.position);
|
|
663
|
-
return
|
|
605
|
+
return readIntegerValue(buffer, block);
|
|
664
606
|
}
|
|
665
607
|
function convertGeneralizedTime(str) {
|
|
666
608
|
const year = parseInt(str.substr(0, 4), 10);
|
|
@@ -672,7 +614,7 @@ function convertGeneralizedTime(str) {
|
|
|
672
614
|
return new Date(Date.UTC(year, month, day, hours, mins, secs));
|
|
673
615
|
}
|
|
674
616
|
function _readBMPString(buffer, block) {
|
|
675
|
-
const strBuff =
|
|
617
|
+
const strBuff = getBlock(buffer, block);
|
|
676
618
|
let str = "";
|
|
677
619
|
for (let i = 0; i < strBuff.length; i += 2) {
|
|
678
620
|
const word = strBuff.readUInt16BE(i);
|
|
@@ -690,10 +632,10 @@ function convertUTCTime(str) {
|
|
|
690
632
|
year += year >= 50 ? 1900 : 2e3;
|
|
691
633
|
return new Date(Date.UTC(year, month, day, hours, mins, secs));
|
|
692
634
|
}
|
|
693
|
-
function
|
|
635
|
+
function readValue(buffer, block) {
|
|
694
636
|
switch (block.tag) {
|
|
695
637
|
case 1 /* BOOLEAN */:
|
|
696
|
-
return
|
|
638
|
+
return readBooleanValue(buffer, block);
|
|
697
639
|
case 30 /* BMPString */:
|
|
698
640
|
return _readBMPString(buffer, block);
|
|
699
641
|
case 19 /* PrintableString */:
|
|
@@ -701,52 +643,66 @@ function _readValue(buffer, block) {
|
|
|
701
643
|
case 12 /* UTF8String */:
|
|
702
644
|
case 18 /* NumericString */:
|
|
703
645
|
case 22 /* IA5String */:
|
|
704
|
-
return
|
|
646
|
+
return getBlock(buffer, block).toString("ascii");
|
|
705
647
|
case 23 /* UTCTime */:
|
|
706
|
-
return convertUTCTime(
|
|
648
|
+
return convertUTCTime(getBlock(buffer, block).toString("ascii"));
|
|
707
649
|
case 24 /* GeneralizedTime */:
|
|
708
|
-
return convertGeneralizedTime(
|
|
650
|
+
return convertGeneralizedTime(getBlock(buffer, block).toString("ascii"));
|
|
709
651
|
default:
|
|
710
652
|
throw new Error("Invalid tag 0x" + block.tag.toString(16));
|
|
711
653
|
}
|
|
712
654
|
}
|
|
713
|
-
function
|
|
714
|
-
return JSON.stringify(d);
|
|
715
|
-
}
|
|
716
|
-
function _readDirectoryName(buffer, block) {
|
|
717
|
-
const set_blocks = _readStruct(buffer, block);
|
|
718
|
-
const names = {};
|
|
719
|
-
for (const set_block of set_blocks) {
|
|
720
|
-
(0, import_assert.default)(set_block.tag === 49);
|
|
721
|
-
const blocks = _readStruct(buffer, set_block);
|
|
722
|
-
(0, import_assert.default)(blocks.length === 1);
|
|
723
|
-
(0, import_assert.default)(blocks[0].tag === 48);
|
|
724
|
-
const sequenceBlock = _readStruct(buffer, blocks[0]);
|
|
725
|
-
(0, import_assert.default)(sequenceBlock.length === 2);
|
|
726
|
-
const type = _readObjectIdentifier(buffer, sequenceBlock[0]);
|
|
727
|
-
names[type.name] = _readValue(buffer, sequenceBlock[1]);
|
|
728
|
-
}
|
|
729
|
-
return names;
|
|
730
|
-
}
|
|
731
|
-
function _findBlockAtIndex(blocks, index) {
|
|
655
|
+
function findBlockAtIndex(blocks, index) {
|
|
732
656
|
const tmp = blocks.filter((b) => b.tag === 160 + index || b.tag === 128 + index);
|
|
733
657
|
if (tmp.length === 0) {
|
|
734
658
|
return null;
|
|
735
659
|
}
|
|
736
660
|
return tmp[0];
|
|
737
661
|
}
|
|
738
|
-
function
|
|
739
|
-
return
|
|
662
|
+
function readTime(buffer, block) {
|
|
663
|
+
return readValue(buffer, block);
|
|
664
|
+
}
|
|
665
|
+
|
|
666
|
+
// source/crypto_utils.ts
|
|
667
|
+
var import_constants = __toESM(require("constants"));
|
|
668
|
+
var import_assert4 = __toESM(require("assert"));
|
|
669
|
+
var import_crypto = require("crypto");
|
|
670
|
+
var import_hexy = __toESM(require("hexy"));
|
|
671
|
+
|
|
672
|
+
// source/buffer_utils.ts
|
|
673
|
+
var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (size) => {
|
|
674
|
+
return new Buffer(size);
|
|
675
|
+
};
|
|
676
|
+
|
|
677
|
+
// source/crypto_explore_certificate.ts
|
|
678
|
+
var import_assert3 = __toESM(require("assert"));
|
|
679
|
+
|
|
680
|
+
// source/directory_name.ts
|
|
681
|
+
var import_assert2 = __toESM(require("assert"));
|
|
682
|
+
function readDirectoryName(buffer, block) {
|
|
683
|
+
const set_blocks = readStruct(buffer, block);
|
|
684
|
+
const names = {};
|
|
685
|
+
for (const set_block of set_blocks) {
|
|
686
|
+
(0, import_assert2.default)(set_block.tag === 49);
|
|
687
|
+
const blocks = readStruct(buffer, set_block);
|
|
688
|
+
(0, import_assert2.default)(blocks.length === 1);
|
|
689
|
+
(0, import_assert2.default)(blocks[0].tag === 48);
|
|
690
|
+
const sequenceBlock = readStruct(buffer, blocks[0]);
|
|
691
|
+
(0, import_assert2.default)(sequenceBlock.length === 2);
|
|
692
|
+
const type = readObjectIdentifier(buffer, sequenceBlock[0]);
|
|
693
|
+
names[type.name] = readValue(buffer, sequenceBlock[1]);
|
|
694
|
+
}
|
|
695
|
+
return names;
|
|
740
696
|
}
|
|
741
697
|
|
|
742
698
|
// source/crypto_explore_certificate.ts
|
|
743
699
|
var doDebug = false;
|
|
744
700
|
function _readAttributeTypeAndValue(buffer, block) {
|
|
745
|
-
let inner_blocks =
|
|
746
|
-
inner_blocks =
|
|
701
|
+
let inner_blocks = readStruct(buffer, block);
|
|
702
|
+
inner_blocks = readStruct(buffer, inner_blocks[0]);
|
|
747
703
|
const data = {
|
|
748
|
-
identifier:
|
|
749
|
-
value:
|
|
704
|
+
identifier: readObjectIdentifier(buffer, inner_blocks[0]).name,
|
|
705
|
+
value: readValue(buffer, inner_blocks[1])
|
|
750
706
|
};
|
|
751
707
|
const result = {};
|
|
752
708
|
for (const [key, value] of Object.entries(data)) {
|
|
@@ -755,7 +711,7 @@ function _readAttributeTypeAndValue(buffer, block) {
|
|
|
755
711
|
return result;
|
|
756
712
|
}
|
|
757
713
|
function _readRelativeDistinguishedName(buffer, block) {
|
|
758
|
-
const inner_blocks =
|
|
714
|
+
const inner_blocks = readStruct(buffer, block);
|
|
759
715
|
const data = inner_blocks.map((block2) => _readAttributeTypeAndValue(buffer, block2));
|
|
760
716
|
const result = {};
|
|
761
717
|
for (const e of data) {
|
|
@@ -767,64 +723,64 @@ function _readName(buffer, block) {
|
|
|
767
723
|
return _readRelativeDistinguishedName(buffer, block);
|
|
768
724
|
}
|
|
769
725
|
function _readValidity(buffer, block) {
|
|
770
|
-
const inner_blocks =
|
|
726
|
+
const inner_blocks = readStruct(buffer, block);
|
|
771
727
|
return {
|
|
772
|
-
notBefore:
|
|
773
|
-
notAfter:
|
|
728
|
+
notBefore: readTime(buffer, inner_blocks[0]),
|
|
729
|
+
notAfter: readTime(buffer, inner_blocks[1])
|
|
774
730
|
};
|
|
775
731
|
}
|
|
776
732
|
function _readAuthorityKeyIdentifier(buffer) {
|
|
777
733
|
const block_info = readTag(buffer, 0);
|
|
778
|
-
const blocks =
|
|
779
|
-
const keyIdentifier_block =
|
|
780
|
-
const authorityCertIssuer_block =
|
|
781
|
-
const authorityCertSerialNumber_block =
|
|
734
|
+
const blocks = readStruct(buffer, block_info);
|
|
735
|
+
const keyIdentifier_block = findBlockAtIndex(blocks, 0);
|
|
736
|
+
const authorityCertIssuer_block = findBlockAtIndex(blocks, 1);
|
|
737
|
+
const authorityCertSerialNumber_block = findBlockAtIndex(blocks, 2);
|
|
782
738
|
function _readAuthorityCertIssuer(block) {
|
|
783
|
-
const inner_blocks =
|
|
784
|
-
const directoryName_block =
|
|
739
|
+
const inner_blocks = readStruct(buffer, block);
|
|
740
|
+
const directoryName_block = findBlockAtIndex(inner_blocks, 4);
|
|
785
741
|
if (directoryName_block) {
|
|
786
|
-
const a =
|
|
787
|
-
return
|
|
742
|
+
const a = readStruct(buffer, directoryName_block);
|
|
743
|
+
return readDirectoryName(buffer, a[0]);
|
|
788
744
|
} else {
|
|
789
745
|
throw new Error("Invalid _readAuthorityCertIssuer");
|
|
790
746
|
}
|
|
791
747
|
}
|
|
792
748
|
function _readAuthorityCertIssuerFingerPrint(block) {
|
|
793
|
-
const inner_blocks =
|
|
794
|
-
const directoryName_block =
|
|
749
|
+
const inner_blocks = readStruct(buffer, block);
|
|
750
|
+
const directoryName_block = findBlockAtIndex(inner_blocks, 4);
|
|
795
751
|
if (!directoryName_block) {
|
|
796
752
|
return "";
|
|
797
753
|
}
|
|
798
|
-
const a =
|
|
754
|
+
const a = readStruct(buffer, directoryName_block);
|
|
799
755
|
if (a.length < 1) {
|
|
800
756
|
return "";
|
|
801
757
|
}
|
|
802
|
-
return directoryName_block ? formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(
|
|
758
|
+
return directoryName_block ? formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, a[0]))) : "";
|
|
803
759
|
}
|
|
804
760
|
const authorityCertIssuer = authorityCertIssuer_block ? _readAuthorityCertIssuer(authorityCertIssuer_block) : null;
|
|
805
761
|
const authorityCertIssuerFingerPrint = authorityCertIssuer_block ? _readAuthorityCertIssuerFingerPrint(authorityCertIssuer_block) : "";
|
|
806
762
|
return {
|
|
807
763
|
authorityCertIssuer,
|
|
808
764
|
authorityCertIssuerFingerPrint,
|
|
809
|
-
serial: authorityCertSerialNumber_block ? formatBuffer2DigitHexWithColum(
|
|
765
|
+
serial: authorityCertSerialNumber_block ? formatBuffer2DigitHexWithColum(getBlock(buffer, authorityCertSerialNumber_block)) : null,
|
|
810
766
|
// can be null for self-signed cert
|
|
811
|
-
keyIdentifier: keyIdentifier_block ? formatBuffer2DigitHexWithColum(
|
|
767
|
+
keyIdentifier: keyIdentifier_block ? formatBuffer2DigitHexWithColum(getBlock(buffer, keyIdentifier_block)) : null
|
|
812
768
|
// can be null for self-signed certf
|
|
813
769
|
};
|
|
814
770
|
}
|
|
815
771
|
function readBasicConstraint2_5_29_19(buffer, block) {
|
|
816
772
|
const block_info = readTag(buffer, 0);
|
|
817
|
-
const inner_blocks =
|
|
773
|
+
const inner_blocks = readStruct(buffer, block_info).slice(0, 2);
|
|
818
774
|
let cA = false;
|
|
819
775
|
let pathLengthConstraint = 0;
|
|
820
776
|
let breakControl = 0;
|
|
821
777
|
for (const inner_block of inner_blocks) {
|
|
822
778
|
switch (inner_block.tag) {
|
|
823
779
|
case 1 /* BOOLEAN */:
|
|
824
|
-
cA =
|
|
780
|
+
cA = readBooleanValue(buffer, inner_block);
|
|
825
781
|
break;
|
|
826
782
|
case 2 /* INTEGER */:
|
|
827
|
-
pathLengthConstraint =
|
|
783
|
+
pathLengthConstraint = readIntegerValue(buffer, inner_block);
|
|
828
784
|
breakControl = 1;
|
|
829
785
|
break;
|
|
830
786
|
}
|
|
@@ -846,7 +802,7 @@ function _readGeneralNames(buffer, block) {
|
|
|
846
802
|
8: { name: "registeredID", type: "OBJECT_IDENTIFIER" },
|
|
847
803
|
32: { name: "otherName", type: "AnotherName" }
|
|
848
804
|
};
|
|
849
|
-
const blocks =
|
|
805
|
+
const blocks = readStruct(buffer, block);
|
|
850
806
|
function _readFromType(buffer2, block2, type) {
|
|
851
807
|
switch (type) {
|
|
852
808
|
case "IA5String":
|
|
@@ -857,7 +813,7 @@ function _readGeneralNames(buffer, block) {
|
|
|
857
813
|
}
|
|
858
814
|
const n = {};
|
|
859
815
|
for (const block2 of blocks) {
|
|
860
|
-
(0,
|
|
816
|
+
(0, import_assert3.default)((block2.tag & 128) === 128);
|
|
861
817
|
const t2 = block2.tag & 127;
|
|
862
818
|
const type = _data[t2];
|
|
863
819
|
if (!type) {
|
|
@@ -866,11 +822,11 @@ function _readGeneralNames(buffer, block) {
|
|
|
866
822
|
}
|
|
867
823
|
if (t2 == 32) {
|
|
868
824
|
n[type.name] = n[type.name] || [];
|
|
869
|
-
const blocks2 =
|
|
870
|
-
const name =
|
|
871
|
-
const buf =
|
|
825
|
+
const blocks2 = readStruct(buffer, block2);
|
|
826
|
+
const name = readObjectIdentifier(buffer, blocks2[0]).name;
|
|
827
|
+
const buf = getBlock(buffer, blocks2[1]);
|
|
872
828
|
const b = readTag(buf, 0);
|
|
873
|
-
const nn =
|
|
829
|
+
const nn = readValue(buf, b);
|
|
874
830
|
const data = {
|
|
875
831
|
identifier: name,
|
|
876
832
|
value: nn
|
|
@@ -917,9 +873,9 @@ function readKeyUsage(oid, buffer) {
|
|
|
917
873
|
};
|
|
918
874
|
}
|
|
919
875
|
function readExtKeyUsage(oid, buffer) {
|
|
920
|
-
(0,
|
|
876
|
+
(0, import_assert3.default)(oid === "2.5.29.37");
|
|
921
877
|
const block_info = readTag(buffer, 0);
|
|
922
|
-
const inner_blocks =
|
|
878
|
+
const inner_blocks = readStruct(buffer, block_info);
|
|
923
879
|
const extKeyUsage = {
|
|
924
880
|
serverAuth: false,
|
|
925
881
|
clientAuth: false,
|
|
@@ -932,30 +888,30 @@ function readExtKeyUsage(oid, buffer) {
|
|
|
932
888
|
ocspSigning: false
|
|
933
889
|
};
|
|
934
890
|
for (const block of inner_blocks) {
|
|
935
|
-
const identifier =
|
|
891
|
+
const identifier = readObjectIdentifier(buffer, block);
|
|
936
892
|
extKeyUsage[identifier.name] = true;
|
|
937
893
|
}
|
|
938
894
|
return extKeyUsage;
|
|
939
895
|
}
|
|
940
896
|
function _readSubjectPublicKey(buffer) {
|
|
941
897
|
const block_info = readTag(buffer, 0);
|
|
942
|
-
const blocks =
|
|
898
|
+
const blocks = readStruct(buffer, block_info);
|
|
943
899
|
return {
|
|
944
900
|
modulus: buffer.subarray(blocks[0].position + 1, blocks[0].position + blocks[0].length)
|
|
945
901
|
};
|
|
946
902
|
}
|
|
947
|
-
function
|
|
948
|
-
const inner_blocks =
|
|
903
|
+
function readExtension(buffer, block) {
|
|
904
|
+
const inner_blocks = readStruct(buffer, block);
|
|
949
905
|
if (inner_blocks.length === 3) {
|
|
950
|
-
(0,
|
|
906
|
+
(0, import_assert3.default)(inner_blocks[1].tag === 1 /* BOOLEAN */);
|
|
951
907
|
inner_blocks[1] = inner_blocks[2];
|
|
952
908
|
}
|
|
953
|
-
const identifier =
|
|
954
|
-
const buf =
|
|
909
|
+
const identifier = readObjectIdentifier(buffer, inner_blocks[0]);
|
|
910
|
+
const buf = getBlock(buffer, inner_blocks[1]);
|
|
955
911
|
let value = null;
|
|
956
912
|
switch (identifier.name) {
|
|
957
913
|
case "subjectKeyIdentifier":
|
|
958
|
-
value = formatBuffer2DigitHexWithColum(
|
|
914
|
+
value = formatBuffer2DigitHexWithColum(readOctetString(buffer, inner_blocks[1]));
|
|
959
915
|
break;
|
|
960
916
|
case "subjectAltName":
|
|
961
917
|
value = _readSubjectAltNames(buf);
|
|
@@ -984,10 +940,10 @@ function _readExtension(buffer, block) {
|
|
|
984
940
|
};
|
|
985
941
|
}
|
|
986
942
|
function _readExtensions(buffer, block) {
|
|
987
|
-
(0,
|
|
988
|
-
let inner_blocks =
|
|
989
|
-
inner_blocks =
|
|
990
|
-
const extensions = inner_blocks.map((block2) =>
|
|
943
|
+
(0, import_assert3.default)(block.tag === 163);
|
|
944
|
+
let inner_blocks = readStruct(buffer, block);
|
|
945
|
+
inner_blocks = readStruct(buffer, inner_blocks[0]);
|
|
946
|
+
const extensions = inner_blocks.map((block2) => readExtension(buffer, block2));
|
|
991
947
|
const result = {};
|
|
992
948
|
for (const e of extensions) {
|
|
993
949
|
result[e.identifier.name] = e.value;
|
|
@@ -995,11 +951,11 @@ function _readExtensions(buffer, block) {
|
|
|
995
951
|
return result;
|
|
996
952
|
}
|
|
997
953
|
function _readSubjectPublicKeyInfo(buffer, block) {
|
|
998
|
-
const inner_blocks =
|
|
999
|
-
const algorithm =
|
|
1000
|
-
const subjectPublicKey =
|
|
954
|
+
const inner_blocks = readStruct(buffer, block);
|
|
955
|
+
const algorithm = readAlgorithmIdentifier(buffer, inner_blocks[0]);
|
|
956
|
+
const subjectPublicKey = readBitString(buffer, inner_blocks[1]);
|
|
1001
957
|
const data = subjectPublicKey.data;
|
|
1002
|
-
const values =
|
|
958
|
+
const values = readListOfInteger(data);
|
|
1003
959
|
return {
|
|
1004
960
|
algorithm: algorithm.identifier,
|
|
1005
961
|
keyLength: values[0].length - 1,
|
|
@@ -1009,9 +965,9 @@ function _readSubjectPublicKeyInfo(buffer, block) {
|
|
|
1009
965
|
};
|
|
1010
966
|
}
|
|
1011
967
|
function _readSubjectECCPublicKeyInfo(buffer, block) {
|
|
1012
|
-
const inner_blocks =
|
|
1013
|
-
const algorithm =
|
|
1014
|
-
const subjectPublicKey =
|
|
968
|
+
const inner_blocks = readStruct(buffer, block);
|
|
969
|
+
const algorithm = readECCAlgorithmIdentifier(buffer, inner_blocks[0]);
|
|
970
|
+
const subjectPublicKey = readBitString(buffer, inner_blocks[1]);
|
|
1015
971
|
const data = subjectPublicKey.data;
|
|
1016
972
|
return {
|
|
1017
973
|
algorithm: algorithm.identifier,
|
|
@@ -1022,33 +978,33 @@ function _readSubjectECCPublicKeyInfo(buffer, block) {
|
|
|
1022
978
|
};
|
|
1023
979
|
}
|
|
1024
980
|
function readTbsCertificate(buffer, block) {
|
|
1025
|
-
const blocks =
|
|
981
|
+
const blocks = readStruct(buffer, block);
|
|
1026
982
|
let version, serialNumber, signature, issuer, validity, subject, subjectFingerPrint, extensions;
|
|
1027
983
|
let subjectPublicKeyInfo;
|
|
1028
984
|
if (blocks.length === 6) {
|
|
1029
985
|
version = 1;
|
|
1030
|
-
serialNumber = formatBuffer2DigitHexWithColum(
|
|
1031
|
-
signature =
|
|
986
|
+
serialNumber = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, blocks[0]));
|
|
987
|
+
signature = readAlgorithmIdentifier(buffer, blocks[1]);
|
|
1032
988
|
issuer = _readName(buffer, blocks[2]);
|
|
1033
989
|
validity = _readValidity(buffer, blocks[3]);
|
|
1034
990
|
subject = _readName(buffer, blocks[4]);
|
|
1035
|
-
subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(
|
|
991
|
+
subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[4])));
|
|
1036
992
|
subjectPublicKeyInfo = _readSubjectPublicKeyInfo(buffer, blocks[5]);
|
|
1037
993
|
extensions = null;
|
|
1038
994
|
} else {
|
|
1039
|
-
const version_block =
|
|
995
|
+
const version_block = findBlockAtIndex(blocks, 0);
|
|
1040
996
|
if (!version_block) {
|
|
1041
997
|
throw new Error("cannot find version block");
|
|
1042
998
|
}
|
|
1043
|
-
version =
|
|
1044
|
-
serialNumber = formatBuffer2DigitHexWithColum(
|
|
1045
|
-
signature =
|
|
999
|
+
version = readVersionValue(buffer, version_block) + 1;
|
|
1000
|
+
serialNumber = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, blocks[1]));
|
|
1001
|
+
signature = readAlgorithmIdentifier(buffer, blocks[2]);
|
|
1046
1002
|
issuer = _readName(buffer, blocks[3]);
|
|
1047
1003
|
validity = _readValidity(buffer, blocks[4]);
|
|
1048
1004
|
subject = _readName(buffer, blocks[5]);
|
|
1049
|
-
subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(
|
|
1050
|
-
const inner_block =
|
|
1051
|
-
const what_type =
|
|
1005
|
+
subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[5])));
|
|
1006
|
+
const inner_block = readStruct(buffer, blocks[6]);
|
|
1007
|
+
const what_type = readAlgorithmIdentifier(buffer, inner_block[0]).identifier;
|
|
1052
1008
|
switch (what_type) {
|
|
1053
1009
|
case "rsaEncryption": {
|
|
1054
1010
|
subjectPublicKeyInfo = _readSubjectPublicKeyInfo(buffer, blocks[6]);
|
|
@@ -1060,7 +1016,7 @@ function readTbsCertificate(buffer, block) {
|
|
|
1060
1016
|
break;
|
|
1061
1017
|
}
|
|
1062
1018
|
}
|
|
1063
|
-
const extensionBlock =
|
|
1019
|
+
const extensionBlock = findBlockAtIndex(blocks, 3);
|
|
1064
1020
|
if (!extensionBlock) {
|
|
1065
1021
|
doDebug && console.log("X509 certificate is invalid : cannot find extension block version =" + version_block);
|
|
1066
1022
|
extensions = null;
|
|
@@ -1081,14 +1037,14 @@ function readTbsCertificate(buffer, block) {
|
|
|
1081
1037
|
};
|
|
1082
1038
|
}
|
|
1083
1039
|
function exploreCertificate(certificate) {
|
|
1084
|
-
(0,
|
|
1040
|
+
(0, import_assert3.default)(certificate instanceof Buffer);
|
|
1085
1041
|
if (!certificate._exploreCertificate_cache) {
|
|
1086
1042
|
const block_info = readTag(certificate, 0);
|
|
1087
|
-
const blocks =
|
|
1043
|
+
const blocks = readStruct(certificate, block_info);
|
|
1088
1044
|
certificate._exploreCertificate_cache = {
|
|
1089
1045
|
tbsCertificate: readTbsCertificate(certificate, blocks[0]),
|
|
1090
|
-
signatureAlgorithm:
|
|
1091
|
-
signatureValue:
|
|
1046
|
+
signatureAlgorithm: readAlgorithmIdentifier(certificate, blocks[1]),
|
|
1047
|
+
signatureValue: readSignatureValue(certificate, blocks[2])
|
|
1092
1048
|
};
|
|
1093
1049
|
}
|
|
1094
1050
|
return certificate._exploreCertificate_cache;
|
|
@@ -1110,10 +1066,10 @@ function combine_der(certificates) {
|
|
|
1110
1066
|
let sum = 0;
|
|
1111
1067
|
b.forEach((block) => {
|
|
1112
1068
|
const block_info = readTag(block, 0);
|
|
1113
|
-
(0,
|
|
1069
|
+
(0, import_assert3.default)(block_info.position + block_info.length === block.length);
|
|
1114
1070
|
sum += block.length;
|
|
1115
1071
|
});
|
|
1116
|
-
(0,
|
|
1072
|
+
(0, import_assert3.default)(sum === cert.length);
|
|
1117
1073
|
}
|
|
1118
1074
|
return Buffer.concat(certificates);
|
|
1119
1075
|
}
|
|
@@ -1135,14 +1091,14 @@ function removeTrailingLF(str) {
|
|
|
1135
1091
|
return tmp;
|
|
1136
1092
|
}
|
|
1137
1093
|
function toPem(raw_key, pem) {
|
|
1138
|
-
(0,
|
|
1139
|
-
(0,
|
|
1094
|
+
(0, import_assert4.default)(raw_key, "expecting a key");
|
|
1095
|
+
(0, import_assert4.default)(typeof pem === "string");
|
|
1140
1096
|
let pemType = identifyPemType(raw_key);
|
|
1141
1097
|
if (pemType) {
|
|
1142
1098
|
return raw_key instanceof Buffer ? removeTrailingLF(raw_key.toString("utf8")) : removeTrailingLF(raw_key);
|
|
1143
1099
|
} else {
|
|
1144
1100
|
pemType = pem;
|
|
1145
|
-
(0,
|
|
1101
|
+
(0, import_assert4.default)(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
|
|
1146
1102
|
let b = raw_key.toString("base64");
|
|
1147
1103
|
let str = "-----BEGIN " + pemType + "-----\n";
|
|
1148
1104
|
while (b.length) {
|
|
@@ -1179,19 +1135,19 @@ function hexDump(buffer, width) {
|
|
|
1179
1135
|
}
|
|
1180
1136
|
}
|
|
1181
1137
|
function makeMessageChunkSignature(chunk, options) {
|
|
1182
|
-
const signer = (0,
|
|
1138
|
+
const signer = (0, import_crypto.createSign)(options.algorithm);
|
|
1183
1139
|
signer.update(chunk);
|
|
1184
1140
|
const signature = signer.sign(options.privateKey.hidden);
|
|
1185
|
-
(0,
|
|
1141
|
+
(0, import_assert4.default)(!options.signatureLength || signature.length === options.signatureLength);
|
|
1186
1142
|
return signature;
|
|
1187
1143
|
}
|
|
1188
1144
|
function verifyMessageChunkSignature(blockToVerify, signature, options) {
|
|
1189
|
-
const verify = (0,
|
|
1145
|
+
const verify = (0, import_crypto.createVerify)(options.algorithm);
|
|
1190
1146
|
verify.update(blockToVerify);
|
|
1191
1147
|
return verify.verify(options.publicKey, signature);
|
|
1192
1148
|
}
|
|
1193
1149
|
function makeSHA1Thumbprint(buffer) {
|
|
1194
|
-
return (0,
|
|
1150
|
+
return (0, import_crypto.createHash)("sha1").update(buffer).digest();
|
|
1195
1151
|
}
|
|
1196
1152
|
var RSA_PKCS1_OAEP_PADDING = import_constants.default.RSA_PKCS1_OAEP_PADDING;
|
|
1197
1153
|
var RSA_PKCS1_PADDING = import_constants.default.RSA_PKCS1_PADDING;
|
|
@@ -1200,13 +1156,13 @@ var PaddingAlgorithm = /* @__PURE__ */ ((PaddingAlgorithm2) => {
|
|
|
1200
1156
|
PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
|
|
1201
1157
|
return PaddingAlgorithm2;
|
|
1202
1158
|
})(PaddingAlgorithm || {});
|
|
1203
|
-
(0,
|
|
1204
|
-
(0,
|
|
1159
|
+
(0, import_assert4.default)(4 /* RSA_PKCS1_OAEP_PADDING */ === import_constants.default.RSA_PKCS1_OAEP_PADDING);
|
|
1160
|
+
(0, import_assert4.default)(1 /* RSA_PKCS1_PADDING */ === import_constants.default.RSA_PKCS1_PADDING);
|
|
1205
1161
|
function publicEncrypt_native(buffer, publicKey, algorithm) {
|
|
1206
1162
|
if (algorithm === void 0) {
|
|
1207
1163
|
algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
|
|
1208
1164
|
}
|
|
1209
|
-
return (0,
|
|
1165
|
+
return (0, import_crypto.publicEncrypt)(
|
|
1210
1166
|
{
|
|
1211
1167
|
key: publicKey,
|
|
1212
1168
|
padding: algorithm
|
|
@@ -1219,7 +1175,7 @@ function privateDecrypt_native(buffer, privateKey, algorithm) {
|
|
|
1219
1175
|
algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
|
|
1220
1176
|
}
|
|
1221
1177
|
try {
|
|
1222
|
-
return (0,
|
|
1178
|
+
return (0, import_crypto.privateDecrypt)(
|
|
1223
1179
|
{
|
|
1224
1180
|
key: privateKey.hidden,
|
|
1225
1181
|
padding: algorithm
|
|
@@ -1278,14 +1234,14 @@ function coerceCertificatePem(certificate) {
|
|
|
1278
1234
|
if (certificate instanceof Buffer) {
|
|
1279
1235
|
certificate = toPem(certificate, "CERTIFICATE");
|
|
1280
1236
|
}
|
|
1281
|
-
(0,
|
|
1237
|
+
(0, import_assert4.default)(typeof certificate === "string");
|
|
1282
1238
|
return certificate;
|
|
1283
1239
|
}
|
|
1284
1240
|
function extractPublicKeyFromCertificateSync(certificate) {
|
|
1285
1241
|
certificate = coerceCertificatePem(certificate);
|
|
1286
1242
|
const key = import_jsrsasign.default.KEYUTIL.getKey(certificate);
|
|
1287
1243
|
const publicKeyAsPem = import_jsrsasign.default.KEYUTIL.getPEM(key);
|
|
1288
|
-
(0,
|
|
1244
|
+
(0, import_assert4.default)(typeof publicKeyAsPem === "string");
|
|
1289
1245
|
return publicKeyAsPem;
|
|
1290
1246
|
}
|
|
1291
1247
|
function extractPublicKeyFromCertificate(certificate, callback) {
|
|
@@ -1301,13 +1257,192 @@ function extractPublicKeyFromCertificate(certificate, callback) {
|
|
|
1301
1257
|
});
|
|
1302
1258
|
}
|
|
1303
1259
|
|
|
1260
|
+
// source/explore_private_key.ts
|
|
1261
|
+
function f(buffer, b) {
|
|
1262
|
+
return buffer.subarray(b.position + 1, b.position + b.length);
|
|
1263
|
+
}
|
|
1264
|
+
var doDebug2 = !!process.env.DEBUG;
|
|
1265
|
+
function explorePrivateKey(privateKey2) {
|
|
1266
|
+
const privateKey1 = privateKey2.hidden;
|
|
1267
|
+
const privateKey = typeof privateKey1 === "string" ? convertPEMtoDER(privateKey1) : privateKey1.export({ format: "der", type: "pkcs1" });
|
|
1268
|
+
const block_info = readTag(privateKey, 0);
|
|
1269
|
+
const blocks = readStruct(privateKey, block_info);
|
|
1270
|
+
if (blocks.length === 9) {
|
|
1271
|
+
const version2 = f(privateKey, blocks[0]);
|
|
1272
|
+
const modulus2 = f(privateKey, blocks[1]);
|
|
1273
|
+
const publicExponent2 = f(privateKey, blocks[2]);
|
|
1274
|
+
const privateExponent2 = f(privateKey, blocks[3]);
|
|
1275
|
+
const prime12 = f(privateKey, blocks[4]);
|
|
1276
|
+
const prime22 = f(privateKey, blocks[5]);
|
|
1277
|
+
const exponent12 = f(privateKey, blocks[6]);
|
|
1278
|
+
const exponent22 = f(privateKey, blocks[7]);
|
|
1279
|
+
return {
|
|
1280
|
+
version: version2,
|
|
1281
|
+
modulus: modulus2,
|
|
1282
|
+
publicExponent: publicExponent2,
|
|
1283
|
+
privateExponent: privateExponent2,
|
|
1284
|
+
prime1: prime12,
|
|
1285
|
+
prime2: prime22,
|
|
1286
|
+
exponent1: exponent12,
|
|
1287
|
+
exponent2: exponent22
|
|
1288
|
+
};
|
|
1289
|
+
}
|
|
1290
|
+
if (doDebug2) {
|
|
1291
|
+
console.log("-------------------- private key:");
|
|
1292
|
+
console.log(block_info);
|
|
1293
|
+
console.log(
|
|
1294
|
+
blocks.map((b2) => ({
|
|
1295
|
+
tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
|
|
1296
|
+
l: b2.length,
|
|
1297
|
+
p: b2.position,
|
|
1298
|
+
buff: privateKey.subarray(b2.position, b2.position + b2.length).toString("hex")
|
|
1299
|
+
}))
|
|
1300
|
+
);
|
|
1301
|
+
}
|
|
1302
|
+
const b = blocks[2];
|
|
1303
|
+
const bb = privateKey.subarray(b.position, b.position + b.length);
|
|
1304
|
+
const block_info1 = readTag(bb, 0);
|
|
1305
|
+
const blocks1 = readStruct(bb, block_info1);
|
|
1306
|
+
if (doDebug2) {
|
|
1307
|
+
console.log(
|
|
1308
|
+
blocks1.map((b2) => ({
|
|
1309
|
+
tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
|
|
1310
|
+
l: b2.length,
|
|
1311
|
+
p: b2.position,
|
|
1312
|
+
buff: bb.subarray(b2.position, b2.position + b2.length).toString("hex")
|
|
1313
|
+
}))
|
|
1314
|
+
);
|
|
1315
|
+
}
|
|
1316
|
+
const version = f(bb, blocks1[0]);
|
|
1317
|
+
const modulus = f(bb, blocks1[1]);
|
|
1318
|
+
const publicExponent = f(bb, blocks1[2]);
|
|
1319
|
+
const privateExponent = f(bb, blocks1[3]);
|
|
1320
|
+
const prime1 = f(bb, blocks1[4]);
|
|
1321
|
+
const prime2 = f(bb, blocks1[5]);
|
|
1322
|
+
const exponent1 = f(bb, blocks1[6]);
|
|
1323
|
+
const exponent2 = f(bb, blocks1[7]);
|
|
1324
|
+
return {
|
|
1325
|
+
version,
|
|
1326
|
+
modulus,
|
|
1327
|
+
publicExponent,
|
|
1328
|
+
privateExponent,
|
|
1329
|
+
prime1,
|
|
1330
|
+
prime2,
|
|
1331
|
+
exponent1,
|
|
1332
|
+
exponent2
|
|
1333
|
+
};
|
|
1334
|
+
}
|
|
1335
|
+
|
|
1336
|
+
// source/public_private_match.ts
|
|
1337
|
+
function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
|
|
1338
|
+
const i = exploreCertificate(certificate);
|
|
1339
|
+
const j = explorePrivateKey(privateKey);
|
|
1340
|
+
const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
|
|
1341
|
+
const modulus2 = j.modulus;
|
|
1342
|
+
if (modulus1.length != modulus2.length) {
|
|
1343
|
+
return false;
|
|
1344
|
+
}
|
|
1345
|
+
return modulus1.toString("hex") === modulus2.toString("hex");
|
|
1346
|
+
}
|
|
1347
|
+
function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
|
|
1348
|
+
const initialBuffer = Buffer.from("Lorem Ipsum");
|
|
1349
|
+
const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
|
|
1350
|
+
const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
|
|
1351
|
+
const finalString = decryptedBuffer.toString("utf-8");
|
|
1352
|
+
return initialBuffer.toString("utf-8") === finalString;
|
|
1353
|
+
}
|
|
1354
|
+
function certificateMatchesPrivateKey(certificate, privateKey) {
|
|
1355
|
+
const e = explorePrivateKey(privateKey);
|
|
1356
|
+
const blockSize = e.modulus.length;
|
|
1357
|
+
const certificatePEM = toPem(certificate, "CERTIFICATE");
|
|
1358
|
+
return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
|
|
1359
|
+
}
|
|
1360
|
+
|
|
1361
|
+
// source/common.ts
|
|
1362
|
+
var import_crypto2 = __toESM(require("crypto"));
|
|
1363
|
+
var KeyObjectOrig = import_crypto2.default.KeyObject;
|
|
1364
|
+
var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = import_crypto2.default;
|
|
1365
|
+
function isKeyObject(mayBeKeyObject) {
|
|
1366
|
+
if (KeyObjectOrig) {
|
|
1367
|
+
return mayBeKeyObject instanceof KeyObjectOrig;
|
|
1368
|
+
}
|
|
1369
|
+
return typeof mayBeKeyObject === "object" && typeof mayBeKeyObject.type === "string";
|
|
1370
|
+
}
|
|
1371
|
+
var CertificatePurpose = /* @__PURE__ */ ((CertificatePurpose2) => {
|
|
1372
|
+
CertificatePurpose2[CertificatePurpose2["NotSpecified"] = 0] = "NotSpecified";
|
|
1373
|
+
CertificatePurpose2[CertificatePurpose2["ForCertificateAuthority"] = 1] = "ForCertificateAuthority";
|
|
1374
|
+
CertificatePurpose2[CertificatePurpose2["ForApplication"] = 2] = "ForApplication";
|
|
1375
|
+
CertificatePurpose2[CertificatePurpose2["ForUserAuthentication"] = 3] = "ForUserAuthentication";
|
|
1376
|
+
return CertificatePurpose2;
|
|
1377
|
+
})(CertificatePurpose || {});
|
|
1378
|
+
|
|
1379
|
+
// source/crypto_utils2.ts
|
|
1380
|
+
var import_assert5 = __toESM(require("assert"));
|
|
1381
|
+
var import_jsrsasign2 = __toESM(require("jsrsasign"));
|
|
1382
|
+
function rsaLengthPrivateKey(key) {
|
|
1383
|
+
const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
|
|
1384
|
+
const a = import_jsrsasign2.default.KEYUTIL.getKey(keyPem);
|
|
1385
|
+
return a.n.toString(16).length / 2;
|
|
1386
|
+
}
|
|
1387
|
+
function toPem2(raw_key, pem) {
|
|
1388
|
+
if (raw_key.hidden) {
|
|
1389
|
+
return toPem2(raw_key.hidden, pem);
|
|
1390
|
+
}
|
|
1391
|
+
(0, import_assert5.default)(raw_key, "expecting a key");
|
|
1392
|
+
(0, import_assert5.default)(typeof pem === "string");
|
|
1393
|
+
if (isKeyObject(raw_key)) {
|
|
1394
|
+
const _raw_key = raw_key;
|
|
1395
|
+
if (pem === "RSA PRIVATE KEY") {
|
|
1396
|
+
return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
|
|
1397
|
+
} else if (pem === "PRIVATE KEY") {
|
|
1398
|
+
return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
|
|
1399
|
+
} else {
|
|
1400
|
+
throw new Error("Unsupported case!");
|
|
1401
|
+
}
|
|
1402
|
+
}
|
|
1403
|
+
return toPem(raw_key, pem);
|
|
1404
|
+
}
|
|
1405
|
+
function coercePrivateKeyPem(privateKey) {
|
|
1406
|
+
return toPem2(privateKey, "PRIVATE KEY");
|
|
1407
|
+
}
|
|
1408
|
+
function coercePublicKeyPem(publicKey) {
|
|
1409
|
+
if (isKeyObject(publicKey)) {
|
|
1410
|
+
return publicKey.export({ format: "pem", type: "spki" }).toString();
|
|
1411
|
+
}
|
|
1412
|
+
(0, import_assert5.default)(typeof publicKey === "string");
|
|
1413
|
+
return publicKey;
|
|
1414
|
+
}
|
|
1415
|
+
function coerceRsaPublicKeyPem(publicKey) {
|
|
1416
|
+
if (isKeyObject(publicKey)) {
|
|
1417
|
+
return publicKey.export({ format: "pem", type: "spki" }).toString();
|
|
1418
|
+
}
|
|
1419
|
+
(0, import_assert5.default)(typeof publicKey === "string");
|
|
1420
|
+
return publicKey;
|
|
1421
|
+
}
|
|
1422
|
+
function rsaLengthPublicKey(key) {
|
|
1423
|
+
key = coercePublicKeyPem(key);
|
|
1424
|
+
(0, import_assert5.default)(typeof key === "string");
|
|
1425
|
+
const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
|
|
1426
|
+
return a.n.toString(16).length / 2;
|
|
1427
|
+
}
|
|
1428
|
+
function rsaLengthRsaPublicKey(key) {
|
|
1429
|
+
key = coerceRsaPublicKeyPem(key);
|
|
1430
|
+
(0, import_assert5.default)(typeof key === "string");
|
|
1431
|
+
const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
|
|
1432
|
+
return a.n.toString(16).length / 2;
|
|
1433
|
+
}
|
|
1434
|
+
|
|
1435
|
+
// source/derived_keys.ts
|
|
1436
|
+
var import_assert7 = __toESM(require("assert"));
|
|
1437
|
+
var import_crypto3 = require("crypto");
|
|
1438
|
+
|
|
1304
1439
|
// source/explore_certificate.ts
|
|
1305
|
-
var
|
|
1440
|
+
var import_assert6 = __toESM(require("assert"));
|
|
1306
1441
|
function coerceCertificate(certificate) {
|
|
1307
1442
|
if (typeof certificate === "string") {
|
|
1308
1443
|
certificate = convertPEMtoDER(certificate);
|
|
1309
1444
|
}
|
|
1310
|
-
(0,
|
|
1445
|
+
(0, import_assert6.default)(certificate instanceof Buffer);
|
|
1311
1446
|
return certificate;
|
|
1312
1447
|
}
|
|
1313
1448
|
function exploreCertificateInfo(certificate) {
|
|
@@ -1334,8 +1469,8 @@ function plus(buf1, buf2) {
|
|
|
1334
1469
|
return Buffer.concat([buf1, buf2]);
|
|
1335
1470
|
}
|
|
1336
1471
|
function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
|
|
1337
|
-
(0,
|
|
1338
|
-
(0,
|
|
1472
|
+
(0, import_assert7.default)(seed instanceof Buffer);
|
|
1473
|
+
(0, import_assert7.default)(sha1or256 === "SHA1" || sha1or256 === "SHA256");
|
|
1339
1474
|
const a = [];
|
|
1340
1475
|
a[0] = seed;
|
|
1341
1476
|
let index = 1;
|
|
@@ -1348,12 +1483,12 @@ function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
|
|
|
1348
1483
|
return p_hash.subarray(0, minLength);
|
|
1349
1484
|
}
|
|
1350
1485
|
function computeDerivedKeys(secret, seed, options) {
|
|
1351
|
-
(0,
|
|
1352
|
-
(0,
|
|
1353
|
-
(0,
|
|
1354
|
-
(0,
|
|
1486
|
+
(0, import_assert7.default)(Number.isFinite(options.signatureLength));
|
|
1487
|
+
(0, import_assert7.default)(Number.isFinite(options.encryptingKeyLength));
|
|
1488
|
+
(0, import_assert7.default)(Number.isFinite(options.encryptingBlockSize));
|
|
1489
|
+
(0, import_assert7.default)(typeof options.algorithm === "string");
|
|
1355
1490
|
options.sha1or256 = options.sha1or256 || "SHA1";
|
|
1356
|
-
(0,
|
|
1491
|
+
(0, import_assert7.default)(typeof options.sha1or256 === "string");
|
|
1357
1492
|
const offset1 = options.signingKeyLength;
|
|
1358
1493
|
const offset2 = offset1 + options.encryptingKeyLength;
|
|
1359
1494
|
const minLength = offset2 + options.encryptingBlockSize;
|
|
@@ -1378,7 +1513,7 @@ function removePadding(buffer) {
|
|
|
1378
1513
|
return reduceLength(buffer, nbPaddingBytes);
|
|
1379
1514
|
}
|
|
1380
1515
|
function verifyChunkSignature(chunk, options) {
|
|
1381
|
-
(0,
|
|
1516
|
+
(0, import_assert7.default)(chunk instanceof Buffer);
|
|
1382
1517
|
let signatureLength = options.signatureLength || 0;
|
|
1383
1518
|
if (signatureLength === 0) {
|
|
1384
1519
|
const cert = exploreCertificateInfo(options.publicKey);
|
|
@@ -1389,16 +1524,16 @@ function verifyChunkSignature(chunk, options) {
|
|
|
1389
1524
|
return verifyMessageChunkSignature(block_to_verify, signature, options);
|
|
1390
1525
|
}
|
|
1391
1526
|
function computePaddingFooter(buffer, derivedKeys) {
|
|
1392
|
-
(0,
|
|
1527
|
+
(0, import_assert7.default)(Object.prototype.hasOwnProperty.call(derivedKeys, "encryptingBlockSize"));
|
|
1393
1528
|
const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
|
|
1394
1529
|
const padding = createFastUninitializedBuffer(paddingSize + 1);
|
|
1395
1530
|
padding.fill(paddingSize);
|
|
1396
1531
|
return padding;
|
|
1397
1532
|
}
|
|
1398
1533
|
function derivedKeys_algorithm(derivedKeys) {
|
|
1399
|
-
(0,
|
|
1534
|
+
(0, import_assert7.default)(Object.prototype.hasOwnProperty.call(derivedKeys, "algorithm"));
|
|
1400
1535
|
const algorithm = derivedKeys.algorithm || "aes-128-cbc";
|
|
1401
|
-
(0,
|
|
1536
|
+
(0, import_assert7.default)(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
|
|
1402
1537
|
return algorithm;
|
|
1403
1538
|
}
|
|
1404
1539
|
function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
|
|
@@ -1424,12 +1559,12 @@ function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
|
|
|
1424
1559
|
return Buffer.concat(decrypted_chunks);
|
|
1425
1560
|
}
|
|
1426
1561
|
function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
|
|
1427
|
-
(0,
|
|
1428
|
-
(0,
|
|
1429
|
-
(0,
|
|
1430
|
-
(0,
|
|
1562
|
+
(0, import_assert7.default)(message instanceof Buffer);
|
|
1563
|
+
(0, import_assert7.default)(derivedKeys.signingKey instanceof Buffer);
|
|
1564
|
+
(0, import_assert7.default)(typeof derivedKeys.sha1or256 === "string");
|
|
1565
|
+
(0, import_assert7.default)(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
|
|
1431
1566
|
const signature = (0, import_crypto3.createHmac)(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
|
|
1432
|
-
(0,
|
|
1567
|
+
(0, import_assert7.default)(signature.length === derivedKeys.signatureLength);
|
|
1433
1568
|
return signature;
|
|
1434
1569
|
}
|
|
1435
1570
|
function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
|
|
@@ -1439,170 +1574,75 @@ function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
|
|
|
1439
1574
|
return computedSignature.toString("hex") === expectedSignature.toString("hex");
|
|
1440
1575
|
}
|
|
1441
1576
|
|
|
1442
|
-
// source/
|
|
1443
|
-
|
|
1444
|
-
|
|
1445
|
-
function rsaLengthPrivateKey(key) {
|
|
1446
|
-
const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
|
|
1447
|
-
const a = import_jsrsasign2.default.KEYUTIL.getKey(keyPem);
|
|
1448
|
-
return a.n.toString(16).length / 2;
|
|
1449
|
-
}
|
|
1450
|
-
function toPem2(raw_key, pem) {
|
|
1451
|
-
if (raw_key.hidden) {
|
|
1452
|
-
return toPem2(raw_key.hidden, pem);
|
|
1453
|
-
}
|
|
1454
|
-
(0, import_assert6.default)(raw_key, "expecting a key");
|
|
1455
|
-
(0, import_assert6.default)(typeof pem === "string");
|
|
1456
|
-
if (isKeyObject(raw_key)) {
|
|
1457
|
-
const _raw_key = raw_key;
|
|
1458
|
-
if (pem === "RSA PRIVATE KEY") {
|
|
1459
|
-
return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
|
|
1460
|
-
} else if (pem === "PRIVATE KEY") {
|
|
1461
|
-
return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
|
|
1462
|
-
} else {
|
|
1463
|
-
throw new Error("Unsupported case!");
|
|
1464
|
-
}
|
|
1465
|
-
}
|
|
1466
|
-
return toPem(raw_key, pem);
|
|
1467
|
-
}
|
|
1468
|
-
function coercePrivateKeyPem(privateKey) {
|
|
1469
|
-
return toPem2(privateKey, "PRIVATE KEY");
|
|
1470
|
-
}
|
|
1471
|
-
function coercePublicKeyPem(publicKey) {
|
|
1472
|
-
if (isKeyObject(publicKey)) {
|
|
1473
|
-
return publicKey.export({ format: "pem", type: "spki" }).toString();
|
|
1474
|
-
}
|
|
1475
|
-
(0, import_assert6.default)(typeof publicKey === "string");
|
|
1476
|
-
return publicKey;
|
|
1477
|
-
}
|
|
1478
|
-
function coerceRsaPublicKeyPem(publicKey) {
|
|
1479
|
-
if (isKeyObject(publicKey)) {
|
|
1480
|
-
return publicKey.export({ format: "pem", type: "spki" }).toString();
|
|
1481
|
-
}
|
|
1482
|
-
(0, import_assert6.default)(typeof publicKey === "string");
|
|
1483
|
-
return publicKey;
|
|
1484
|
-
}
|
|
1485
|
-
function rsaLengthPublicKey(key) {
|
|
1486
|
-
key = coercePublicKeyPem(key);
|
|
1487
|
-
(0, import_assert6.default)(typeof key === "string");
|
|
1488
|
-
const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
|
|
1489
|
-
return a.n.toString(16).length / 2;
|
|
1490
|
-
}
|
|
1491
|
-
function rsaLengthRsaPublicKey(key) {
|
|
1492
|
-
key = coerceRsaPublicKeyPem(key);
|
|
1493
|
-
(0, import_assert6.default)(typeof key === "string");
|
|
1494
|
-
const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
|
|
1495
|
-
return a.n.toString(16).length / 2;
|
|
1496
|
-
}
|
|
1497
|
-
|
|
1498
|
-
// source/verify_certificate_signature.ts
|
|
1499
|
-
var import_crypto4 = require("crypto");
|
|
1500
|
-
function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
|
|
1501
|
-
const block_info = readTag(certificateOrCrl, 0);
|
|
1502
|
-
const blocks = _readStruct(certificateOrCrl, block_info);
|
|
1503
|
-
const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
|
|
1504
|
-
const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
|
|
1505
|
-
const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
|
|
1506
|
-
const p = split_der(parentCertificate)[0];
|
|
1507
|
-
const certPem = toPem(p, "CERTIFICATE");
|
|
1508
|
-
const verify = (0, import_crypto4.createVerify)(signatureAlgorithm.identifier);
|
|
1509
|
-
verify.update(bufferToBeSigned);
|
|
1510
|
-
verify.end();
|
|
1511
|
-
return verify.verify(certPem, signatureValue);
|
|
1512
|
-
}
|
|
1513
|
-
function verifyCertificateSignature(certificate, parentCertificate) {
|
|
1514
|
-
return verifyCertificateOrClrSignature(certificate, parentCertificate);
|
|
1577
|
+
// source/explore_asn1.ts
|
|
1578
|
+
function t(tag) {
|
|
1579
|
+
return TagType[tag];
|
|
1515
1580
|
}
|
|
1516
|
-
function
|
|
1517
|
-
|
|
1581
|
+
function bi(blockInfo, depth) {
|
|
1582
|
+
const indent = " ".repeat(depth);
|
|
1583
|
+
const hl = blockInfo.position - blockInfo.start;
|
|
1584
|
+
return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")} l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
|
|
1518
1585
|
}
|
|
1519
|
-
|
|
1520
|
-
|
|
1521
|
-
|
|
1522
|
-
const
|
|
1523
|
-
|
|
1524
|
-
|
|
1525
|
-
|
|
1526
|
-
|
|
1527
|
-
|
|
1528
|
-
|
|
1529
|
-
|
|
1530
|
-
|
|
1531
|
-
|
|
1532
|
-
if (!parentSignChild) {
|
|
1533
|
-
return {
|
|
1534
|
-
status: "BadCertificateInvalid",
|
|
1535
|
-
reason: "One of the certificate in the chain is not signing the previous certificate"
|
|
1536
|
-
};
|
|
1537
|
-
}
|
|
1538
|
-
const certInfo = exploreCertificate(cert);
|
|
1539
|
-
if (!certInfo.tbsCertificate.extensions) {
|
|
1540
|
-
return {
|
|
1541
|
-
status: "BadCertificateInvalid",
|
|
1542
|
-
reason: "Cannot find X409 Extension 3 in certificate"
|
|
1543
|
-
};
|
|
1544
|
-
}
|
|
1545
|
-
if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
|
|
1546
|
-
return {
|
|
1547
|
-
status: "BadCertificateInvalid",
|
|
1548
|
-
reason: "Cannot find X409 Extension 3 in certificate (parent)"
|
|
1549
|
-
};
|
|
1550
|
-
}
|
|
1551
|
-
if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
|
|
1552
|
-
return {
|
|
1553
|
-
status: "BadCertificateInvalid",
|
|
1554
|
-
reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
|
|
1555
|
-
};
|
|
1586
|
+
function exploreAsn1(buffer) {
|
|
1587
|
+
console.log(hexDump(buffer));
|
|
1588
|
+
function dump(offset, depth) {
|
|
1589
|
+
const blockInfo = readTag(buffer, offset);
|
|
1590
|
+
dumpBlock(blockInfo, depth);
|
|
1591
|
+
function dumpBlock(blockInfo2, depth2) {
|
|
1592
|
+
console.log(bi(blockInfo2, depth2));
|
|
1593
|
+
if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
|
|
1594
|
+
const blocks = readStruct(buffer, blockInfo2);
|
|
1595
|
+
for (const block of blocks) {
|
|
1596
|
+
dumpBlock(block, depth2 + 1);
|
|
1597
|
+
}
|
|
1598
|
+
}
|
|
1556
1599
|
}
|
|
1557
1600
|
}
|
|
1558
|
-
|
|
1559
|
-
status: "Good",
|
|
1560
|
-
reason: `certificate chain is valid(length = ${certificateChain.length})`
|
|
1561
|
-
};
|
|
1601
|
+
dump(0, 0);
|
|
1562
1602
|
}
|
|
1563
1603
|
|
|
1564
1604
|
// source/explore_certificate_revocation_list.ts
|
|
1565
1605
|
function readNameForCrl(buffer, block) {
|
|
1566
|
-
return
|
|
1606
|
+
return readDirectoryName(buffer, block);
|
|
1567
1607
|
}
|
|
1568
1608
|
function _readTbsCertList(buffer, blockInfo) {
|
|
1569
|
-
const blocks =
|
|
1609
|
+
const blocks = readStruct(buffer, blockInfo);
|
|
1570
1610
|
const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
|
|
1571
1611
|
if (hasOptionalVersion) {
|
|
1572
|
-
const version =
|
|
1573
|
-
const signature =
|
|
1612
|
+
const version = readIntegerValue(buffer, blocks[0]);
|
|
1613
|
+
const signature = readAlgorithmIdentifier(buffer, blocks[1]);
|
|
1574
1614
|
const issuer = readNameForCrl(buffer, blocks[2]);
|
|
1575
|
-
const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(
|
|
1576
|
-
const thisUpdate =
|
|
1577
|
-
const nextUpdate =
|
|
1615
|
+
const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
|
|
1616
|
+
const thisUpdate = readTime(buffer, blocks[3]);
|
|
1617
|
+
const nextUpdate = readTime(buffer, blocks[4]);
|
|
1578
1618
|
const revokedCertificates = [];
|
|
1579
1619
|
if (blocks[5] && blocks[5].tag < 128) {
|
|
1580
|
-
const list =
|
|
1620
|
+
const list = readStruct(buffer, blocks[5]);
|
|
1581
1621
|
for (const r of list) {
|
|
1582
|
-
const rr =
|
|
1583
|
-
const userCertificate = formatBuffer2DigitHexWithColum(
|
|
1584
|
-
const revocationDate =
|
|
1622
|
+
const rr = readStruct(buffer, r);
|
|
1623
|
+
const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
|
|
1624
|
+
const revocationDate = readTime(buffer, rr[1]);
|
|
1585
1625
|
revokedCertificates.push({
|
|
1586
1626
|
revocationDate,
|
|
1587
1627
|
userCertificate
|
|
1588
1628
|
});
|
|
1589
1629
|
}
|
|
1590
1630
|
}
|
|
1591
|
-
const ext0 =
|
|
1631
|
+
const ext0 = findBlockAtIndex(blocks, 0);
|
|
1592
1632
|
return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
|
|
1593
1633
|
} else {
|
|
1594
|
-
const signature =
|
|
1634
|
+
const signature = readAlgorithmIdentifier(buffer, blocks[0]);
|
|
1595
1635
|
const issuer = readNameForCrl(buffer, blocks[1]);
|
|
1596
|
-
const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(
|
|
1597
|
-
const thisUpdate =
|
|
1598
|
-
const nextUpdate =
|
|
1636
|
+
const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
|
|
1637
|
+
const thisUpdate = readTime(buffer, blocks[2]);
|
|
1638
|
+
const nextUpdate = readTime(buffer, blocks[3]);
|
|
1599
1639
|
const revokedCertificates = [];
|
|
1600
1640
|
if (blocks[4] && blocks[4].tag < 128) {
|
|
1601
|
-
const list =
|
|
1641
|
+
const list = readStruct(buffer, blocks[4]);
|
|
1602
1642
|
for (const r of list) {
|
|
1603
|
-
const rr =
|
|
1604
|
-
const userCertificate = formatBuffer2DigitHexWithColum(
|
|
1605
|
-
const revocationDate =
|
|
1643
|
+
const rr = readStruct(buffer, r);
|
|
1644
|
+
const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
|
|
1645
|
+
const revocationDate = readTime(buffer, rr[1]);
|
|
1606
1646
|
revokedCertificates.push({
|
|
1607
1647
|
revocationDate,
|
|
1608
1648
|
userCertificate
|
|
@@ -1614,18 +1654,18 @@ function _readTbsCertList(buffer, blockInfo) {
|
|
|
1614
1654
|
}
|
|
1615
1655
|
function exploreCertificateRevocationList(crl) {
|
|
1616
1656
|
const blockInfo = readTag(crl, 0);
|
|
1617
|
-
const blocks =
|
|
1657
|
+
const blocks = readStruct(crl, blockInfo);
|
|
1618
1658
|
const tbsCertList = _readTbsCertList(crl, blocks[0]);
|
|
1619
|
-
const signatureAlgorithm =
|
|
1620
|
-
const signatureValue =
|
|
1659
|
+
const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
|
|
1660
|
+
const signatureValue = readSignatureValueBin(crl, blocks[2]);
|
|
1621
1661
|
return { tbsCertList, signatureAlgorithm, signatureValue };
|
|
1622
1662
|
}
|
|
1623
1663
|
|
|
1624
1664
|
// source/explore_certificate_signing_request.ts
|
|
1625
1665
|
function _readExtensionRequest(buffer) {
|
|
1626
1666
|
const block = readTag(buffer, 0);
|
|
1627
|
-
const inner_blocks =
|
|
1628
|
-
const extensions = inner_blocks.map((block1) =>
|
|
1667
|
+
const inner_blocks = readStruct(buffer, block);
|
|
1668
|
+
const extensions = inner_blocks.map((block1) => readExtension(buffer, block1));
|
|
1629
1669
|
const result = {};
|
|
1630
1670
|
for (const e of extensions) {
|
|
1631
1671
|
result[e.identifier.name] = e.value;
|
|
@@ -1634,19 +1674,19 @@ function _readExtensionRequest(buffer) {
|
|
|
1634
1674
|
return { basicConstraints, keyUsage, subjectAltName };
|
|
1635
1675
|
}
|
|
1636
1676
|
function readCertificationRequestInfo(buffer, block) {
|
|
1637
|
-
const blocks =
|
|
1677
|
+
const blocks = readStruct(buffer, block);
|
|
1638
1678
|
if (blocks.length === 4) {
|
|
1639
|
-
const extensionRequestBlock =
|
|
1679
|
+
const extensionRequestBlock = findBlockAtIndex(blocks, 0);
|
|
1640
1680
|
if (!extensionRequestBlock) {
|
|
1641
1681
|
throw new Error("cannot find extensionRequest block");
|
|
1642
1682
|
}
|
|
1643
|
-
const blocks1 =
|
|
1644
|
-
const blocks2 =
|
|
1645
|
-
const identifier =
|
|
1683
|
+
const blocks1 = readStruct(buffer, extensionRequestBlock);
|
|
1684
|
+
const blocks2 = readStruct(buffer, blocks1[0]);
|
|
1685
|
+
const identifier = readObjectIdentifier(buffer, blocks2[0]);
|
|
1646
1686
|
if (identifier.name !== "extensionRequest") {
|
|
1647
1687
|
throw new Error(" Cannot find extension Request in ASN1 block");
|
|
1648
1688
|
}
|
|
1649
|
-
const buf =
|
|
1689
|
+
const buf = getBlock(buffer, blocks2[1]);
|
|
1650
1690
|
const extensionRequest = _readExtensionRequest(buf);
|
|
1651
1691
|
return { extensionRequest };
|
|
1652
1692
|
}
|
|
@@ -1654,184 +1694,19 @@ function readCertificationRequestInfo(buffer, block) {
|
|
|
1654
1694
|
}
|
|
1655
1695
|
function exploreCertificateSigningRequest(crl) {
|
|
1656
1696
|
const blockInfo = readTag(crl, 0);
|
|
1657
|
-
const blocks =
|
|
1658
|
-
const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
|
|
1659
|
-
return csrInfo;
|
|
1660
|
-
}
|
|
1661
|
-
|
|
1662
|
-
// source/explore_private_key.ts
|
|
1663
|
-
function f(buffer, b) {
|
|
1664
|
-
return buffer.subarray(b.position + 1, b.position + b.length);
|
|
1665
|
-
}
|
|
1666
|
-
var doDebug2 = !!process.env.DEBUG;
|
|
1667
|
-
function explorePrivateKey(privateKey2) {
|
|
1668
|
-
const privateKey1 = privateKey2.hidden;
|
|
1669
|
-
const privateKey = typeof privateKey1 === "string" ? convertPEMtoDER(privateKey1) : privateKey1.export({ format: "der", type: "pkcs1" });
|
|
1670
|
-
const block_info = readTag(privateKey, 0);
|
|
1671
|
-
const blocks = _readStruct(privateKey, block_info);
|
|
1672
|
-
if (blocks.length === 9) {
|
|
1673
|
-
const version2 = f(privateKey, blocks[0]);
|
|
1674
|
-
const modulus2 = f(privateKey, blocks[1]);
|
|
1675
|
-
const publicExponent2 = f(privateKey, blocks[2]);
|
|
1676
|
-
const privateExponent2 = f(privateKey, blocks[3]);
|
|
1677
|
-
const prime12 = f(privateKey, blocks[4]);
|
|
1678
|
-
const prime22 = f(privateKey, blocks[5]);
|
|
1679
|
-
const exponent12 = f(privateKey, blocks[6]);
|
|
1680
|
-
const exponent22 = f(privateKey, blocks[7]);
|
|
1681
|
-
return {
|
|
1682
|
-
version: version2,
|
|
1683
|
-
modulus: modulus2,
|
|
1684
|
-
publicExponent: publicExponent2,
|
|
1685
|
-
privateExponent: privateExponent2,
|
|
1686
|
-
prime1: prime12,
|
|
1687
|
-
prime2: prime22,
|
|
1688
|
-
exponent1: exponent12,
|
|
1689
|
-
exponent2: exponent22
|
|
1690
|
-
};
|
|
1691
|
-
}
|
|
1692
|
-
if (doDebug2) {
|
|
1693
|
-
console.log("-------------------- private key:");
|
|
1694
|
-
console.log(block_info);
|
|
1695
|
-
console.log(
|
|
1696
|
-
blocks.map((b2) => ({
|
|
1697
|
-
tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
|
|
1698
|
-
l: b2.length,
|
|
1699
|
-
p: b2.position,
|
|
1700
|
-
buff: privateKey.subarray(b2.position, b2.position + b2.length).toString("hex")
|
|
1701
|
-
}))
|
|
1702
|
-
);
|
|
1703
|
-
}
|
|
1704
|
-
const b = blocks[2];
|
|
1705
|
-
const bb = privateKey.subarray(b.position, b.position + b.length);
|
|
1706
|
-
const block_info1 = readTag(bb, 0);
|
|
1707
|
-
const blocks1 = _readStruct(bb, block_info1);
|
|
1708
|
-
if (doDebug2) {
|
|
1709
|
-
console.log(
|
|
1710
|
-
blocks1.map((b2) => ({
|
|
1711
|
-
tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
|
|
1712
|
-
l: b2.length,
|
|
1713
|
-
p: b2.position,
|
|
1714
|
-
buff: bb.subarray(b2.position, b2.position + b2.length).toString("hex")
|
|
1715
|
-
}))
|
|
1716
|
-
);
|
|
1717
|
-
}
|
|
1718
|
-
const version = f(bb, blocks1[0]);
|
|
1719
|
-
const modulus = f(bb, blocks1[1]);
|
|
1720
|
-
const publicExponent = f(bb, blocks1[2]);
|
|
1721
|
-
const privateExponent = f(bb, blocks1[3]);
|
|
1722
|
-
const prime1 = f(bb, blocks1[4]);
|
|
1723
|
-
const prime2 = f(bb, blocks1[5]);
|
|
1724
|
-
const exponent1 = f(bb, blocks1[6]);
|
|
1725
|
-
const exponent2 = f(bb, blocks1[7]);
|
|
1726
|
-
return {
|
|
1727
|
-
version,
|
|
1728
|
-
modulus,
|
|
1729
|
-
publicExponent,
|
|
1730
|
-
privateExponent,
|
|
1731
|
-
prime1,
|
|
1732
|
-
prime2,
|
|
1733
|
-
exponent1,
|
|
1734
|
-
exponent2
|
|
1735
|
-
};
|
|
1736
|
-
}
|
|
1737
|
-
|
|
1738
|
-
// source/public_private_match.ts
|
|
1739
|
-
function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
|
|
1740
|
-
const i = exploreCertificate(certificate);
|
|
1741
|
-
const j = explorePrivateKey(privateKey);
|
|
1742
|
-
const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
|
|
1743
|
-
const modulus2 = j.modulus;
|
|
1744
|
-
if (modulus1.length != modulus2.length) {
|
|
1745
|
-
return false;
|
|
1746
|
-
}
|
|
1747
|
-
return modulus1.toString("hex") === modulus2.toString("hex");
|
|
1748
|
-
}
|
|
1749
|
-
function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
|
|
1750
|
-
const initialBuffer = Buffer.from("Lorem Ipsum");
|
|
1751
|
-
const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
|
|
1752
|
-
const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
|
|
1753
|
-
const finalString = decryptedBuffer.toString("utf-8");
|
|
1754
|
-
return initialBuffer.toString("utf-8") === finalString;
|
|
1755
|
-
}
|
|
1756
|
-
function certificateMatchesPrivateKey(certificate, privateKey) {
|
|
1757
|
-
const e = explorePrivateKey(privateKey);
|
|
1758
|
-
const blockSize = e.modulus.length;
|
|
1759
|
-
const certificatePEM = toPem(certificate, "CERTIFICATE");
|
|
1760
|
-
return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
|
|
1761
|
-
}
|
|
1762
|
-
|
|
1763
|
-
// source/x509/_crypto.ts
|
|
1764
|
-
var x509 = __toESM(require("@peculiar/x509"));
|
|
1765
|
-
var import_webcrypto = require("@peculiar/webcrypto");
|
|
1766
|
-
var import_crypto5 = __toESM(require("crypto"));
|
|
1767
|
-
var x5092 = __toESM(require("@peculiar/x509"));
|
|
1768
|
-
var doDebug3 = false;
|
|
1769
|
-
var _crypto;
|
|
1770
|
-
var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
|
|
1771
|
-
if (typeof window === "undefined") {
|
|
1772
|
-
_crypto = import_crypto5.default;
|
|
1773
|
-
if (!_crypto?.subtle || ignoreCrypto) {
|
|
1774
|
-
_crypto = new import_webcrypto.Crypto();
|
|
1775
|
-
doDebug3 && console.warn("using @peculiar/webcrypto");
|
|
1776
|
-
} else {
|
|
1777
|
-
doDebug3 && console.warn("using nodejs crypto (native)");
|
|
1778
|
-
}
|
|
1779
|
-
x509.cryptoProvider.set(_crypto);
|
|
1780
|
-
} else {
|
|
1781
|
-
doDebug3 && console.warn("using browser crypto (native)");
|
|
1782
|
-
_crypto = crypto;
|
|
1783
|
-
x509.cryptoProvider.set(crypto);
|
|
1784
|
-
}
|
|
1785
|
-
function getCrypto() {
|
|
1786
|
-
return _crypto || crypto || require("crypto");
|
|
1787
|
-
}
|
|
1788
|
-
|
|
1789
|
-
// source/x509/create_key_pair.ts
|
|
1790
|
-
async function generateKeyPair(modulusLength = 2048) {
|
|
1791
|
-
const crypto3 = getCrypto();
|
|
1792
|
-
const alg = {
|
|
1793
|
-
name: "RSASSA-PKCS1-v1_5",
|
|
1794
|
-
hash: { name: "SHA-256" },
|
|
1795
|
-
publicExponent: new Uint8Array([1, 0, 1]),
|
|
1796
|
-
modulusLength
|
|
1797
|
-
};
|
|
1798
|
-
const keys = await crypto3.subtle.generateKey(alg, true, ["sign", "verify"]);
|
|
1799
|
-
return keys;
|
|
1800
|
-
}
|
|
1801
|
-
async function generatePrivateKey(modulusLength = 2048) {
|
|
1802
|
-
return (await generateKeyPair(modulusLength)).privateKey;
|
|
1803
|
-
}
|
|
1804
|
-
async function privateKeyToPEM(privateKey) {
|
|
1805
|
-
const crypto3 = getCrypto();
|
|
1806
|
-
const privDer = await crypto3.subtle.exportKey("pkcs8", privateKey);
|
|
1807
|
-
const privPem = x5092.PemConverter.encode(privDer, "PRIVATE KEY");
|
|
1808
|
-
return { privPem, privDer };
|
|
1697
|
+
const blocks = readStruct(crl, blockInfo);
|
|
1698
|
+
const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
|
|
1699
|
+
return csrInfo;
|
|
1809
1700
|
}
|
|
1810
|
-
|
|
1811
|
-
|
|
1812
|
-
|
|
1813
|
-
|
|
1814
|
-
privDer,
|
|
1815
|
-
{
|
|
1816
|
-
name: "RSASSA-PKCS1-v1_5",
|
|
1817
|
-
hash: { name: "SHA-256" }
|
|
1818
|
-
},
|
|
1819
|
-
true,
|
|
1820
|
-
[
|
|
1821
|
-
"sign"
|
|
1822
|
-
// "encrypt",
|
|
1823
|
-
// "decrypt",
|
|
1824
|
-
// "verify",
|
|
1825
|
-
// "wrapKey",
|
|
1826
|
-
// "unwrapKey",
|
|
1827
|
-
// "deriveKey",
|
|
1828
|
-
// "deriveBits"
|
|
1829
|
-
]
|
|
1830
|
-
);
|
|
1701
|
+
|
|
1702
|
+
// source/make_private_key_from_pem.ts
|
|
1703
|
+
function makePrivateKeyFromPem(privateKeyInPem) {
|
|
1704
|
+
return { hidden: privateKeyInPem };
|
|
1831
1705
|
}
|
|
1832
|
-
|
|
1833
|
-
|
|
1834
|
-
|
|
1706
|
+
|
|
1707
|
+
// source/make_private_key_thumbprint.ts
|
|
1708
|
+
function makePrivateKeyThumbPrint(privateKey) {
|
|
1709
|
+
return Buffer.alloc(0);
|
|
1835
1710
|
}
|
|
1836
1711
|
|
|
1837
1712
|
// source/subject.ts
|
|
@@ -1921,6 +1796,175 @@ var Subject = class _Subject {
|
|
|
1921
1796
|
}
|
|
1922
1797
|
};
|
|
1923
1798
|
|
|
1799
|
+
// source/verify_certificate_signature.ts
|
|
1800
|
+
var import_crypto4 = require("crypto");
|
|
1801
|
+
function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
|
|
1802
|
+
const block_info = readTag(certificateOrCrl, 0);
|
|
1803
|
+
const blocks = readStruct(certificateOrCrl, block_info);
|
|
1804
|
+
const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
|
|
1805
|
+
const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
|
|
1806
|
+
const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
|
|
1807
|
+
const p = split_der(parentCertificate)[0];
|
|
1808
|
+
const certPem = toPem(p, "CERTIFICATE");
|
|
1809
|
+
const verify = (0, import_crypto4.createVerify)(signatureAlgorithm.identifier);
|
|
1810
|
+
verify.update(bufferToBeSigned);
|
|
1811
|
+
verify.end();
|
|
1812
|
+
return verify.verify(certPem, signatureValue);
|
|
1813
|
+
}
|
|
1814
|
+
function verifyCertificateSignature(certificate, parentCertificate) {
|
|
1815
|
+
return verifyCertificateOrClrSignature(certificate, parentCertificate);
|
|
1816
|
+
}
|
|
1817
|
+
function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
|
|
1818
|
+
return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
|
|
1819
|
+
}
|
|
1820
|
+
async function verifyCertificateChain(certificateChain) {
|
|
1821
|
+
for (let index = 1; index < certificateChain.length; index++) {
|
|
1822
|
+
const cert = certificateChain[index - 1];
|
|
1823
|
+
const certParent = certificateChain[index];
|
|
1824
|
+
const certParentInfo = exploreCertificate(certParent);
|
|
1825
|
+
const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
|
|
1826
|
+
if (!keyUsage.keyCertSign) {
|
|
1827
|
+
return {
|
|
1828
|
+
status: "BadCertificateIssuerUseNotAllowed",
|
|
1829
|
+
reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
|
|
1830
|
+
};
|
|
1831
|
+
}
|
|
1832
|
+
const parentSignChild = verifyCertificateSignature(cert, certParent);
|
|
1833
|
+
if (!parentSignChild) {
|
|
1834
|
+
return {
|
|
1835
|
+
status: "BadCertificateInvalid",
|
|
1836
|
+
reason: "One of the certificate in the chain is not signing the previous certificate"
|
|
1837
|
+
};
|
|
1838
|
+
}
|
|
1839
|
+
const certInfo = exploreCertificate(cert);
|
|
1840
|
+
if (!certInfo.tbsCertificate.extensions) {
|
|
1841
|
+
return {
|
|
1842
|
+
status: "BadCertificateInvalid",
|
|
1843
|
+
reason: "Cannot find X409 Extension 3 in certificate"
|
|
1844
|
+
};
|
|
1845
|
+
}
|
|
1846
|
+
if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
|
|
1847
|
+
return {
|
|
1848
|
+
status: "BadCertificateInvalid",
|
|
1849
|
+
reason: "Cannot find X409 Extension 3 in certificate (parent)"
|
|
1850
|
+
};
|
|
1851
|
+
}
|
|
1852
|
+
if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
|
|
1853
|
+
return {
|
|
1854
|
+
status: "BadCertificateInvalid",
|
|
1855
|
+
reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
|
|
1856
|
+
};
|
|
1857
|
+
}
|
|
1858
|
+
}
|
|
1859
|
+
return {
|
|
1860
|
+
status: "Good",
|
|
1861
|
+
reason: `certificate chain is valid(length = ${certificateChain.length})`
|
|
1862
|
+
};
|
|
1863
|
+
}
|
|
1864
|
+
|
|
1865
|
+
// source/x509/_crypto.ts
|
|
1866
|
+
var x509 = __toESM(require("@peculiar/x509"));
|
|
1867
|
+
var import_webcrypto = require("@peculiar/webcrypto");
|
|
1868
|
+
var import_crypto5 = __toESM(require("crypto"));
|
|
1869
|
+
var x5092 = __toESM(require("@peculiar/x509"));
|
|
1870
|
+
var doDebug3 = false;
|
|
1871
|
+
var _crypto;
|
|
1872
|
+
var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
|
|
1873
|
+
if (typeof window === "undefined") {
|
|
1874
|
+
_crypto = import_crypto5.default;
|
|
1875
|
+
if (!_crypto?.subtle || ignoreCrypto) {
|
|
1876
|
+
_crypto = new import_webcrypto.Crypto();
|
|
1877
|
+
doDebug3 && console.warn("using @peculiar/webcrypto");
|
|
1878
|
+
} else {
|
|
1879
|
+
doDebug3 && console.warn("using nodejs crypto (native)");
|
|
1880
|
+
}
|
|
1881
|
+
x509.cryptoProvider.set(_crypto);
|
|
1882
|
+
} else {
|
|
1883
|
+
doDebug3 && console.warn("using browser crypto (native)");
|
|
1884
|
+
_crypto = crypto;
|
|
1885
|
+
x509.cryptoProvider.set(crypto);
|
|
1886
|
+
}
|
|
1887
|
+
function getCrypto() {
|
|
1888
|
+
return _crypto || crypto || require("crypto");
|
|
1889
|
+
}
|
|
1890
|
+
|
|
1891
|
+
// source/x509/create_key_pair.ts
|
|
1892
|
+
async function generateKeyPair(modulusLength = 2048) {
|
|
1893
|
+
const crypto3 = getCrypto();
|
|
1894
|
+
const alg = {
|
|
1895
|
+
name: "RSASSA-PKCS1-v1_5",
|
|
1896
|
+
hash: { name: "SHA-256" },
|
|
1897
|
+
publicExponent: new Uint8Array([1, 0, 1]),
|
|
1898
|
+
modulusLength
|
|
1899
|
+
};
|
|
1900
|
+
const keys = await crypto3.subtle.generateKey(alg, true, ["sign", "verify"]);
|
|
1901
|
+
return keys;
|
|
1902
|
+
}
|
|
1903
|
+
async function generatePrivateKey(modulusLength = 2048) {
|
|
1904
|
+
return (await generateKeyPair(modulusLength)).privateKey;
|
|
1905
|
+
}
|
|
1906
|
+
async function privateKeyToPEM(privateKey) {
|
|
1907
|
+
const crypto3 = getCrypto();
|
|
1908
|
+
const privDer = await crypto3.subtle.exportKey("pkcs8", privateKey);
|
|
1909
|
+
const privPem = x5092.PemConverter.encode(privDer, "PRIVATE KEY");
|
|
1910
|
+
return { privPem, privDer };
|
|
1911
|
+
}
|
|
1912
|
+
async function derToPrivateKey(privDer) {
|
|
1913
|
+
const crypto3 = getCrypto();
|
|
1914
|
+
return await crypto3.subtle.importKey(
|
|
1915
|
+
"pkcs8",
|
|
1916
|
+
privDer,
|
|
1917
|
+
{
|
|
1918
|
+
name: "RSASSA-PKCS1-v1_5",
|
|
1919
|
+
hash: { name: "SHA-256" }
|
|
1920
|
+
},
|
|
1921
|
+
true,
|
|
1922
|
+
[
|
|
1923
|
+
"sign"
|
|
1924
|
+
// "encrypt",
|
|
1925
|
+
// "decrypt",
|
|
1926
|
+
// "verify",
|
|
1927
|
+
// "wrapKey",
|
|
1928
|
+
// "unwrapKey",
|
|
1929
|
+
// "deriveKey",
|
|
1930
|
+
// "deriveBits"
|
|
1931
|
+
]
|
|
1932
|
+
);
|
|
1933
|
+
}
|
|
1934
|
+
async function pemToPrivateKey(pem) {
|
|
1935
|
+
const privDer = x5092.PemConverter.decode(pem);
|
|
1936
|
+
return derToPrivateKey(privDer[0]);
|
|
1937
|
+
}
|
|
1938
|
+
|
|
1939
|
+
// source/x509/coerce_private_key.ts
|
|
1940
|
+
var crypto2 = getCrypto();
|
|
1941
|
+
var doDebug4 = false;
|
|
1942
|
+
function coercePEMorDerToPrivateKey(privateKeyInDerOrPem) {
|
|
1943
|
+
if (typeof privateKeyInDerOrPem === "string") {
|
|
1944
|
+
const hidden = createPrivateKeyFromNodeJSCrypto(privateKeyInDerOrPem);
|
|
1945
|
+
return { hidden };
|
|
1946
|
+
}
|
|
1947
|
+
throw new Error("not implemented");
|
|
1948
|
+
}
|
|
1949
|
+
async function _coercePrivateKey(privateKey) {
|
|
1950
|
+
const KeyObject4 = crypto2.KeyObject;
|
|
1951
|
+
if (privateKey instanceof Buffer) {
|
|
1952
|
+
const privateKey1 = await derToPrivateKey(privateKey);
|
|
1953
|
+
return KeyObject4.from(privateKey1);
|
|
1954
|
+
} else if (typeof privateKey === "string") {
|
|
1955
|
+
try {
|
|
1956
|
+
const privateKey1 = await pemToPrivateKey(privateKey);
|
|
1957
|
+
return KeyObject4.from(privateKey1);
|
|
1958
|
+
} catch (err) {
|
|
1959
|
+
doDebug4 && console.log(privateKey);
|
|
1960
|
+
throw err;
|
|
1961
|
+
}
|
|
1962
|
+
} else if (privateKey instanceof KeyObject4) {
|
|
1963
|
+
return privateKey;
|
|
1964
|
+
}
|
|
1965
|
+
throw new Error("Invalid privateKey");
|
|
1966
|
+
}
|
|
1967
|
+
|
|
1924
1968
|
// source/x509/_get_attributes.ts
|
|
1925
1969
|
var keyUsageApplication = x5092.KeyUsageFlags.keyEncipherment | x5092.KeyUsageFlags.nonRepudiation | x5092.KeyUsageFlags.dataEncipherment | x5092.KeyUsageFlags.keyCertSign | x5092.KeyUsageFlags.digitalSignature;
|
|
1926
1970
|
var keyUsageCA = x5092.KeyUsageFlags.keyCertSign | x5092.KeyUsageFlags.cRLSign;
|
|
@@ -5462,11 +5506,11 @@ function compareSchema(root, inputData, inputSchema) {
|
|
|
5462
5506
|
};
|
|
5463
5507
|
}
|
|
5464
5508
|
if (inputSchema.primitiveSchema && VALUE_HEX_VIEW in inputData.valueBlock) {
|
|
5465
|
-
const
|
|
5466
|
-
if (
|
|
5509
|
+
const asn12 = localFromBER(inputData.valueBlock.valueHexView);
|
|
5510
|
+
if (asn12.offset === -1) {
|
|
5467
5511
|
const _result = {
|
|
5468
5512
|
verified: false,
|
|
5469
|
-
result:
|
|
5513
|
+
result: asn12.result
|
|
5470
5514
|
};
|
|
5471
5515
|
if (inputSchema.name) {
|
|
5472
5516
|
inputSchema.name = inputSchema.name.replace(/^\s+|\s+$/g, EMPTY_STRING);
|
|
@@ -5477,7 +5521,7 @@ function compareSchema(root, inputData, inputSchema) {
|
|
|
5477
5521
|
}
|
|
5478
5522
|
return _result;
|
|
5479
5523
|
}
|
|
5480
|
-
return compareSchema(root,
|
|
5524
|
+
return compareSchema(root, asn12.result, inputSchema.primitiveSchema);
|
|
5481
5525
|
}
|
|
5482
5526
|
return {
|
|
5483
5527
|
verified: true,
|
|
@@ -5491,14 +5535,14 @@ function verifySchema(inputBuffer, inputSchema) {
|
|
|
5491
5535
|
result: { error: "Wrong ASN.1 schema type" }
|
|
5492
5536
|
};
|
|
5493
5537
|
}
|
|
5494
|
-
const
|
|
5495
|
-
if (
|
|
5538
|
+
const asn12 = localFromBER(BufferSourceConverter.toUint8Array(inputBuffer));
|
|
5539
|
+
if (asn12.offset === -1) {
|
|
5496
5540
|
return {
|
|
5497
5541
|
verified: false,
|
|
5498
|
-
result:
|
|
5542
|
+
result: asn12.result
|
|
5499
5543
|
};
|
|
5500
5544
|
}
|
|
5501
|
-
return compareSchema(
|
|
5545
|
+
return compareSchema(asn12.result, asn12.result, inputSchema);
|
|
5502
5546
|
}
|
|
5503
5547
|
|
|
5504
5548
|
// ../../node_modules/@peculiar/asn1-schema/build/es2015/enums.js
|
|
@@ -6186,66 +6230,8 @@ async function createSelfSignedCertificate({
|
|
|
6186
6230
|
return { cert: cert.toString("pem"), der: cert };
|
|
6187
6231
|
}
|
|
6188
6232
|
|
|
6189
|
-
// source/
|
|
6190
|
-
var
|
|
6191
|
-
var doDebug4 = false;
|
|
6192
|
-
function coercePEMorDerToPrivateKey(privateKeyInDerOrPem) {
|
|
6193
|
-
if (typeof privateKeyInDerOrPem === "string") {
|
|
6194
|
-
const hidden = createPrivateKeyFromNodeJSCrypto(privateKeyInDerOrPem);
|
|
6195
|
-
return { hidden };
|
|
6196
|
-
}
|
|
6197
|
-
throw new Error("not implemented");
|
|
6198
|
-
}
|
|
6199
|
-
async function _coercePrivateKey(privateKey) {
|
|
6200
|
-
const KeyObject4 = crypto2.KeyObject;
|
|
6201
|
-
if (privateKey instanceof Buffer) {
|
|
6202
|
-
const privateKey1 = await derToPrivateKey(privateKey);
|
|
6203
|
-
return KeyObject4.from(privateKey1);
|
|
6204
|
-
} else if (typeof privateKey === "string") {
|
|
6205
|
-
try {
|
|
6206
|
-
const privateKey1 = await pemToPrivateKey(privateKey);
|
|
6207
|
-
return KeyObject4.from(privateKey1);
|
|
6208
|
-
} catch (err) {
|
|
6209
|
-
doDebug4 && console.log(privateKey);
|
|
6210
|
-
throw err;
|
|
6211
|
-
}
|
|
6212
|
-
} else if (privateKey instanceof KeyObject4) {
|
|
6213
|
-
return privateKey;
|
|
6214
|
-
}
|
|
6215
|
-
throw new Error("Invalid privateKey");
|
|
6216
|
-
}
|
|
6217
|
-
|
|
6218
|
-
// source/explore_asn1.ts
|
|
6219
|
-
function t(tag) {
|
|
6220
|
-
return TagType[tag];
|
|
6221
|
-
}
|
|
6222
|
-
function bi(blockInfo, depth) {
|
|
6223
|
-
const indent = " ".repeat(depth);
|
|
6224
|
-
const hl = blockInfo.position - blockInfo.start;
|
|
6225
|
-
return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")} l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
|
|
6226
|
-
}
|
|
6227
|
-
function exploreAsn1(buffer) {
|
|
6228
|
-
console.log(hexDump(buffer));
|
|
6229
|
-
function dump(offset, depth) {
|
|
6230
|
-
const blockInfo = readTag(buffer, offset);
|
|
6231
|
-
dumpBlock(blockInfo, depth);
|
|
6232
|
-
function dumpBlock(blockInfo2, depth2) {
|
|
6233
|
-
console.log(bi(blockInfo2, depth2));
|
|
6234
|
-
if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
|
|
6235
|
-
const blocks = _readStruct(buffer, blockInfo2);
|
|
6236
|
-
for (const block of blocks) {
|
|
6237
|
-
dumpBlock(block, depth2 + 1);
|
|
6238
|
-
}
|
|
6239
|
-
}
|
|
6240
|
-
}
|
|
6241
|
-
}
|
|
6242
|
-
dump(0, 0);
|
|
6243
|
-
}
|
|
6244
|
-
|
|
6245
|
-
// source/make_private_key_from_pem.ts
|
|
6246
|
-
function makePrivateKeyFromPem(privateKeyInPem) {
|
|
6247
|
-
return { hidden: privateKeyInPem };
|
|
6248
|
-
}
|
|
6233
|
+
// source/index_web.ts
|
|
6234
|
+
var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, readSignatureValueBin };
|
|
6249
6235
|
// Annotate the CommonJS export names for ESM import in node:
|
|
6250
6236
|
0 && (module.exports = {
|
|
6251
6237
|
CertificatePurpose,
|
|
@@ -6253,28 +6239,8 @@ function makePrivateKeyFromPem(privateKeyInPem) {
|
|
|
6253
6239
|
RSA_PKCS1_OAEP_PADDING,
|
|
6254
6240
|
RSA_PKCS1_PADDING,
|
|
6255
6241
|
Subject,
|
|
6256
|
-
TagType,
|
|
6257
6242
|
_coercePrivateKey,
|
|
6258
|
-
|
|
6259
|
-
_getBlock,
|
|
6260
|
-
_readAlgorithmIdentifier,
|
|
6261
|
-
_readBitString,
|
|
6262
|
-
_readBooleanValue,
|
|
6263
|
-
_readDirectoryName,
|
|
6264
|
-
_readECCAlgorithmIdentifier,
|
|
6265
|
-
_readExtension,
|
|
6266
|
-
_readIntegerAsByteString,
|
|
6267
|
-
_readIntegerValue,
|
|
6268
|
-
_readListOfInteger,
|
|
6269
|
-
_readLongIntegerValue,
|
|
6270
|
-
_readObjectIdentifier,
|
|
6271
|
-
_readOctetString,
|
|
6272
|
-
_readSignatureValue,
|
|
6273
|
-
_readSignatureValueBin,
|
|
6274
|
-
_readStruct,
|
|
6275
|
-
_readTime,
|
|
6276
|
-
_readValue,
|
|
6277
|
-
_readVersionValue,
|
|
6243
|
+
asn1,
|
|
6278
6244
|
certificateMatchesPrivateKey,
|
|
6279
6245
|
coerceCertificate,
|
|
6280
6246
|
coerceCertificatePem,
|
|
@@ -6283,7 +6249,6 @@ function makePrivateKeyFromPem(privateKeyInPem) {
|
|
|
6283
6249
|
coercePublicKeyPem,
|
|
6284
6250
|
coerceRsaPublicKeyPem,
|
|
6285
6251
|
combine_der,
|
|
6286
|
-
compactDirectoryName,
|
|
6287
6252
|
computeDerivedKeys,
|
|
6288
6253
|
computePaddingFooter,
|
|
6289
6254
|
convertPEMtoDER,
|
|
@@ -6301,7 +6266,6 @@ function makePrivateKeyFromPem(privateKeyInPem) {
|
|
|
6301
6266
|
explorePrivateKey,
|
|
6302
6267
|
extractPublicKeyFromCertificate,
|
|
6303
6268
|
extractPublicKeyFromCertificateSync,
|
|
6304
|
-
formatBuffer2DigitHexWithColum,
|
|
6305
6269
|
generateKeyPair,
|
|
6306
6270
|
generatePrivateKey,
|
|
6307
6271
|
hexDump,
|
|
@@ -6310,9 +6274,9 @@ function makePrivateKeyFromPem(privateKeyInPem) {
|
|
|
6310
6274
|
makeMessageChunkSignature,
|
|
6311
6275
|
makeMessageChunkSignatureWithDerivedKeys,
|
|
6312
6276
|
makePrivateKeyFromPem,
|
|
6277
|
+
makePrivateKeyThumbPrint,
|
|
6313
6278
|
makePseudoRandomBuffer,
|
|
6314
6279
|
makeSHA1Thumbprint,
|
|
6315
|
-
parseBitString,
|
|
6316
6280
|
pemToPrivateKey,
|
|
6317
6281
|
privateDecrypt,
|
|
6318
6282
|
privateDecrypt_long,
|
|
@@ -6323,8 +6287,8 @@ function makePrivateKeyFromPem(privateKeyInPem) {
|
|
|
6323
6287
|
publicEncrypt_native,
|
|
6324
6288
|
publicKeyAndPrivateKeyMatches,
|
|
6325
6289
|
readCertificationRequestInfo,
|
|
6290
|
+
readExtension,
|
|
6326
6291
|
readNameForCrl,
|
|
6327
|
-
readTag,
|
|
6328
6292
|
readTbsCertificate,
|
|
6329
6293
|
reduceLength,
|
|
6330
6294
|
removePadding,
|