node-opcua-crypto 4.17.0 → 5.1.0

package/dist/source/index.mjs

@@ -36,6 +36,7 @@ import {
   generatePrivateKey,
   hexDump,
   identifyPemType,
+  isCrlIssuedByCertificate,
   isKeyObject,
   makeMessageChunkSignature,
   makeMessageChunkSignatureWithDerivedKeys,
@@ -71,8 +72,9 @@ import {
   verifyCertificateSignature,
   verifyChunkSignature,
   verifyChunkSignatureWithDerivedKeys,
+  verifyCrlIssuedByCertificate,
   verifyMessageChunkSignature
-} from "../chunk-EURHGMEG.mjs";
+} from "../chunk-ULG5CYBT.mjs";
 export {
   CertificatePurpose,
   PaddingAlgorithm,
@@ -110,6 +112,7 @@ export {
   generatePrivateKey,
   hexDump,
   identifyPemType,
+  isCrlIssuedByCertificate,
   isKeyObject,
   makeMessageChunkSignature,
   makeMessageChunkSignatureWithDerivedKeys,
@@ -145,6 +148,7 @@ export {
   verifyCertificateSignature,
   verifyChunkSignature,
   verifyChunkSignatureWithDerivedKeys,
+  verifyCrlIssuedByCertificate,
   verifyMessageChunkSignature
 };
 //# sourceMappingURL=index.mjs.map

package/dist/source/index_web.d.mts

@@ -1,8 +1,36 @@
-import { C as Certificate, d as CertificatePEM, b as PEM, D as DER, P as PrivateKey, f as PublicKeyPEM, S as Signature, K as KeyObject, e as PrivateKeyPEM, a as PublicKey, N as Nonce, g as CertificateRevocationList, h as CertificatePurpose } from '../common-DxHkx4Pv.mjs';
+import { g as CertificateRevocationList, C as Certificate, d as CertificatePEM, b as PEM, D as DER, P as PrivateKey, f as PublicKeyPEM, S as Signature, K as KeyObject, e as PrivateKeyPEM, a as PublicKey, N as Nonce, h as CertificatePurpose } from '../common-DxHkx4Pv.mjs';
 export { c as createPrivateKeyFromNodeJSCrypto, i as isKeyObject } from '../common-DxHkx4Pv.mjs';
 import { KeyLike } from 'node:crypto';
 import * as x509 from '@peculiar/x509';
 
+/**
+ * Determine if a Certificate Revocation List (CRL) was issued by
+ * the given certificate, by comparing the CRL's issuer name
+ * fingerprint with the certificate's subject name fingerprint.
+ *
+ * This is a lightweight check (no cryptographic signature
+ * verification). Use {@link verifyCrlIssuedByCertificate} for
+ * full verification.
+ *
+ * @param crl  - the CRL to check (DER-encoded)
+ * @param certificate - the candidate issuer certificate (DER-encoded)
+ * @returns `true` if the CRL's issuer fingerprint matches the
+ *          certificate's subject fingerprint
+ */
+declare function isCrlIssuedByCertificate(crl: CertificateRevocationList, certificate: Certificate): boolean;
+/**
+ * Verify that a Certificate Revocation List (CRL) was issued by
+ * the given certificate. This performs both a fingerprint match
+ * **and** a cryptographic signature verification.
+ *
+ * @param crl  - the CRL to verify (DER-encoded)
+ * @param certificate - the candidate issuer certificate (DER-encoded)
+ * @returns `true` if the CRL's issuer matches the certificate
+ *          **and** the CRL's signature is valid against the
+ *          certificate's public key
+ */
+declare function verifyCrlIssuedByCertificate(crl: CertificateRevocationList, certificate: Certificate): boolean;
+
 interface DirectoryName {
     stateOrProvinceName?: string;
     localityName?: string;
@@ -245,7 +273,7 @@ declare function extractPublicKeyFromCertificate(certificate: CertificatePEM | C
 
 /***
  * @method rsaLengthPrivateKey
- * A very expensive way to determine the rsa key length ( i.e 2048bits or 1024bits)
+ * A method to determine the rsa key length ( i.e 2048bits or 1024bits)
  * @param key  a PEM public key or a PEM rsa private key
  * @return the key length in bytes.
  */
@@ -366,10 +394,16 @@ interface CertificateRevocationListInfo {
 declare function readNameForCrl(buffer: Buffer, block: BlockInfo): DirectoryName;
 declare function exploreCertificateRevocationList(crl: CertificateRevocationList): CertificateRevocationListInfo;
 
+interface SubjectAltName {
+    uniformResourceIdentifier: string[];
+    dNSName: string[];
+    iPAddress: string[];
+    [key: string]: unknown;
+}
 interface ExtensionRequest {
     basicConstraints: BasicConstraints;
     keyUsage: X509KeyUsage;
-    subjectAltName: string;
+    subjectAltName: SubjectAltName;
 }
 interface CertificateSigningRequestInfo {
     extensionRequest: ExtensionRequest;
@@ -515,4 +549,4 @@ declare const asn1: {
     readSignatureValueBin: typeof readSignatureValueBin;
 };
 
-export { type AttributeTypeAndValue, type AuthorityKeyIdentifier, type BasicConstraints, Certificate, type CertificateExtension, type CertificateInfo, type CertificateInternals, CertificatePEM, CertificatePurpose, CertificateRevocationList, type CertificateRevocationListInfo, type CertificateSerialNumber, type CertificateSigningRequestInfo, type ComputeDerivedKeysOptions, type CreateSelfSignCertificateOptions, DER, type DerivedKeys, type DirectoryName, type ExtensionRequest, type Extensions, KeyObject, type Name, Nonce, PEM, PaddingAlgorithm, PrivateKey, type PrivateKeyInternals, PrivateKeyPEM, PublicKey, type PublicKeyLength, PublicKeyPEM, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_PADDING, type RevokedCertificate, Signature, Subject, type SubjectOptions, type SubjectPublicKey, type SubjectPublicKeyInfo, type TBSCertList, type TbsCertificate, type Validity, type VerifyChunkSignatureOptions, type VerifyMessageChunkSignatureOptions, type Version, type X509ExtKeyUsage, type X509KeyUsage, type _VerifyStatus, _coercePrivateKey, asn1, certificateMatchesPrivateKey, coerceCertificate, coerceCertificatePem, coercePEMorDerToPrivateKey, coercePrivateKeyPem, coercePublicKeyPem, coerceRsaPublicKeyPem, combine_der, computeDerivedKeys, computePaddingFooter, convertPEMtoDER, createCertificateSigningRequest, createSelfSignedCertificate, decryptBufferWithDerivedKeys, derToPrivateKey, encryptBufferWithDerivedKeys, exploreAsn1, exploreCertificate, exploreCertificateInfo, exploreCertificateRevocationList, exploreCertificateSigningRequest, explorePrivateKey, extractPublicKeyFromCertificate, extractPublicKeyFromCertificateSync, generateKeyPair, generatePrivateKey, hexDump, identifyPemType, makeMessageChunkSignature, makeMessageChunkSignatureWithDerivedKeys, makePrivateKeyFromPem, makePrivateKeyThumbPrint, makePseudoRandomBuffer, makeSHA1Thumbprint, pemToPrivateKey, privateDecrypt, privateDecrypt_long, privateDecrypt_native, privateKeyToPEM, publicEncrypt, publicEncrypt_long, publicEncrypt_native, publicKeyAndPrivateKeyMatches, readCertificationRequestInfo, readExtension, readNameForCrl, readTbsCertificate, reduceLength, removePadding, removeTrailingLF, rsaLengthPrivateKey, rsaLengthPublicKey, rsaLengthRsaPublicKey, split_der, toPem, toPem2, verifyCertificateChain, verifyCertificateOrClrSignature, verifyCertificateRevocationListSignature, verifyCertificateSignature, verifyChunkSignature, verifyChunkSignatureWithDerivedKeys, verifyMessageChunkSignature };
+export { type AttributeTypeAndValue, type AuthorityKeyIdentifier, type BasicConstraints, Certificate, type CertificateExtension, type CertificateInfo, type CertificateInternals, CertificatePEM, CertificatePurpose, CertificateRevocationList, type CertificateRevocationListInfo, type CertificateSerialNumber, type CertificateSigningRequestInfo, type ComputeDerivedKeysOptions, type CreateSelfSignCertificateOptions, DER, type DerivedKeys, type DirectoryName, type ExtensionRequest, type Extensions, KeyObject, type Name, Nonce, PEM, PaddingAlgorithm, PrivateKey, type PrivateKeyInternals, PrivateKeyPEM, PublicKey, type PublicKeyLength, PublicKeyPEM, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_PADDING, type RevokedCertificate, Signature, Subject, type SubjectAltName, type SubjectOptions, type SubjectPublicKey, type SubjectPublicKeyInfo, type TBSCertList, type TbsCertificate, type Validity, type VerifyChunkSignatureOptions, type VerifyMessageChunkSignatureOptions, type Version, type X509ExtKeyUsage, type X509KeyUsage, type _VerifyStatus, _coercePrivateKey, asn1, certificateMatchesPrivateKey, coerceCertificate, coerceCertificatePem, coercePEMorDerToPrivateKey, coercePrivateKeyPem, coercePublicKeyPem, coerceRsaPublicKeyPem, combine_der, computeDerivedKeys, computePaddingFooter, convertPEMtoDER, createCertificateSigningRequest, createSelfSignedCertificate, decryptBufferWithDerivedKeys, derToPrivateKey, encryptBufferWithDerivedKeys, exploreAsn1, exploreCertificate, exploreCertificateInfo, exploreCertificateRevocationList, exploreCertificateSigningRequest, explorePrivateKey, extractPublicKeyFromCertificate, extractPublicKeyFromCertificateSync, generateKeyPair, generatePrivateKey, hexDump, identifyPemType, isCrlIssuedByCertificate, makeMessageChunkSignature, makeMessageChunkSignatureWithDerivedKeys, makePrivateKeyFromPem, makePrivateKeyThumbPrint, makePseudoRandomBuffer, makeSHA1Thumbprint, pemToPrivateKey, privateDecrypt, privateDecrypt_long, privateDecrypt_native, privateKeyToPEM, publicEncrypt, publicEncrypt_long, publicEncrypt_native, publicKeyAndPrivateKeyMatches, readCertificationRequestInfo, readExtension, readNameForCrl, readTbsCertificate, reduceLength, removePadding, removeTrailingLF, rsaLengthPrivateKey, rsaLengthPublicKey, rsaLengthRsaPublicKey, split_der, toPem, toPem2, verifyCertificateChain, verifyCertificateOrClrSignature, verifyCertificateRevocationListSignature, verifyCertificateSignature, verifyChunkSignature, verifyChunkSignatureWithDerivedKeys, verifyCrlIssuedByCertificate, verifyMessageChunkSignature };

package/dist/source/index_web.d.ts

@@ -1,8 +1,36 @@
-import { C as Certificate, d as CertificatePEM, b as PEM, D as DER, P as PrivateKey, f as PublicKeyPEM, S as Signature, K as KeyObject, e as PrivateKeyPEM, a as PublicKey, N as Nonce, g as CertificateRevocationList, h as CertificatePurpose } from '../common-DxHkx4Pv.js';
+import { g as CertificateRevocationList, C as Certificate, d as CertificatePEM, b as PEM, D as DER, P as PrivateKey, f as PublicKeyPEM, S as Signature, K as KeyObject, e as PrivateKeyPEM, a as PublicKey, N as Nonce, h as CertificatePurpose } from '../common-DxHkx4Pv.js';
 export { c as createPrivateKeyFromNodeJSCrypto, i as isKeyObject } from '../common-DxHkx4Pv.js';
 import { KeyLike } from 'node:crypto';
 import * as x509 from '@peculiar/x509';
 
+/**
+ * Determine if a Certificate Revocation List (CRL) was issued by
+ * the given certificate, by comparing the CRL's issuer name
+ * fingerprint with the certificate's subject name fingerprint.
+ *
+ * This is a lightweight check (no cryptographic signature
+ * verification). Use {@link verifyCrlIssuedByCertificate} for
+ * full verification.
+ *
+ * @param crl  - the CRL to check (DER-encoded)
+ * @param certificate - the candidate issuer certificate (DER-encoded)
+ * @returns `true` if the CRL's issuer fingerprint matches the
+ *          certificate's subject fingerprint
+ */
+declare function isCrlIssuedByCertificate(crl: CertificateRevocationList, certificate: Certificate): boolean;
+/**
+ * Verify that a Certificate Revocation List (CRL) was issued by
+ * the given certificate. This performs both a fingerprint match
+ * **and** a cryptographic signature verification.
+ *
+ * @param crl  - the CRL to verify (DER-encoded)
+ * @param certificate - the candidate issuer certificate (DER-encoded)
+ * @returns `true` if the CRL's issuer matches the certificate
+ *          **and** the CRL's signature is valid against the
+ *          certificate's public key
+ */
+declare function verifyCrlIssuedByCertificate(crl: CertificateRevocationList, certificate: Certificate): boolean;
+
 interface DirectoryName {
     stateOrProvinceName?: string;
     localityName?: string;
@@ -245,7 +273,7 @@ declare function extractPublicKeyFromCertificate(certificate: CertificatePEM | C
 
 /***
  * @method rsaLengthPrivateKey
- * A very expensive way to determine the rsa key length ( i.e 2048bits or 1024bits)
+ * A method to determine the rsa key length ( i.e 2048bits or 1024bits)
  * @param key  a PEM public key or a PEM rsa private key
  * @return the key length in bytes.
  */
@@ -366,10 +394,16 @@ interface CertificateRevocationListInfo {
 declare function readNameForCrl(buffer: Buffer, block: BlockInfo): DirectoryName;
 declare function exploreCertificateRevocationList(crl: CertificateRevocationList): CertificateRevocationListInfo;
 
+interface SubjectAltName {
+    uniformResourceIdentifier: string[];
+    dNSName: string[];
+    iPAddress: string[];
+    [key: string]: unknown;
+}
 interface ExtensionRequest {
     basicConstraints: BasicConstraints;
     keyUsage: X509KeyUsage;
-    subjectAltName: string;
+    subjectAltName: SubjectAltName;
 }
 interface CertificateSigningRequestInfo {
     extensionRequest: ExtensionRequest;
@@ -515,4 +549,4 @@ declare const asn1: {
     readSignatureValueBin: typeof readSignatureValueBin;
 };
 
-export { type AttributeTypeAndValue, type AuthorityKeyIdentifier, type BasicConstraints, Certificate, type CertificateExtension, type CertificateInfo, type CertificateInternals, CertificatePEM, CertificatePurpose, CertificateRevocationList, type CertificateRevocationListInfo, type CertificateSerialNumber, type CertificateSigningRequestInfo, type ComputeDerivedKeysOptions, type CreateSelfSignCertificateOptions, DER, type DerivedKeys, type DirectoryName, type ExtensionRequest, type Extensions, KeyObject, type Name, Nonce, PEM, PaddingAlgorithm, PrivateKey, type PrivateKeyInternals, PrivateKeyPEM, PublicKey, type PublicKeyLength, PublicKeyPEM, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_PADDING, type RevokedCertificate, Signature, Subject, type SubjectOptions, type SubjectPublicKey, type SubjectPublicKeyInfo, type TBSCertList, type TbsCertificate, type Validity, type VerifyChunkSignatureOptions, type VerifyMessageChunkSignatureOptions, type Version, type X509ExtKeyUsage, type X509KeyUsage, type _VerifyStatus, _coercePrivateKey, asn1, certificateMatchesPrivateKey, coerceCertificate, coerceCertificatePem, coercePEMorDerToPrivateKey, coercePrivateKeyPem, coercePublicKeyPem, coerceRsaPublicKeyPem, combine_der, computeDerivedKeys, computePaddingFooter, convertPEMtoDER, createCertificateSigningRequest, createSelfSignedCertificate, decryptBufferWithDerivedKeys, derToPrivateKey, encryptBufferWithDerivedKeys, exploreAsn1, exploreCertificate, exploreCertificateInfo, exploreCertificateRevocationList, exploreCertificateSigningRequest, explorePrivateKey, extractPublicKeyFromCertificate, extractPublicKeyFromCertificateSync, generateKeyPair, generatePrivateKey, hexDump, identifyPemType, makeMessageChunkSignature, makeMessageChunkSignatureWithDerivedKeys, makePrivateKeyFromPem, makePrivateKeyThumbPrint, makePseudoRandomBuffer, makeSHA1Thumbprint, pemToPrivateKey, privateDecrypt, privateDecrypt_long, privateDecrypt_native, privateKeyToPEM, publicEncrypt, publicEncrypt_long, publicEncrypt_native, publicKeyAndPrivateKeyMatches, readCertificationRequestInfo, readExtension, readNameForCrl, readTbsCertificate, reduceLength, removePadding, removeTrailingLF, rsaLengthPrivateKey, rsaLengthPublicKey, rsaLengthRsaPublicKey, split_der, toPem, toPem2, verifyCertificateChain, verifyCertificateOrClrSignature, verifyCertificateRevocationListSignature, verifyCertificateSignature, verifyChunkSignature, verifyChunkSignatureWithDerivedKeys, verifyMessageChunkSignature };
+export { type AttributeTypeAndValue, type AuthorityKeyIdentifier, type BasicConstraints, Certificate, type CertificateExtension, type CertificateInfo, type CertificateInternals, CertificatePEM, CertificatePurpose, CertificateRevocationList, type CertificateRevocationListInfo, type CertificateSerialNumber, type CertificateSigningRequestInfo, type ComputeDerivedKeysOptions, type CreateSelfSignCertificateOptions, DER, type DerivedKeys, type DirectoryName, type ExtensionRequest, type Extensions, KeyObject, type Name, Nonce, PEM, PaddingAlgorithm, PrivateKey, type PrivateKeyInternals, PrivateKeyPEM, PublicKey, type PublicKeyLength, PublicKeyPEM, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_PADDING, type RevokedCertificate, Signature, Subject, type SubjectAltName, type SubjectOptions, type SubjectPublicKey, type SubjectPublicKeyInfo, type TBSCertList, type TbsCertificate, type Validity, type VerifyChunkSignatureOptions, type VerifyMessageChunkSignatureOptions, type Version, type X509ExtKeyUsage, type X509KeyUsage, type _VerifyStatus, _coercePrivateKey, asn1, certificateMatchesPrivateKey, coerceCertificate, coerceCertificatePem, coercePEMorDerToPrivateKey, coercePrivateKeyPem, coercePublicKeyPem, coerceRsaPublicKeyPem, combine_der, computeDerivedKeys, computePaddingFooter, convertPEMtoDER, createCertificateSigningRequest, createSelfSignedCertificate, decryptBufferWithDerivedKeys, derToPrivateKey, encryptBufferWithDerivedKeys, exploreAsn1, exploreCertificate, exploreCertificateInfo, exploreCertificateRevocationList, exploreCertificateSigningRequest, explorePrivateKey, extractPublicKeyFromCertificate, extractPublicKeyFromCertificateSync, generateKeyPair, generatePrivateKey, hexDump, identifyPemType, isCrlIssuedByCertificate, makeMessageChunkSignature, makeMessageChunkSignatureWithDerivedKeys, makePrivateKeyFromPem, makePrivateKeyThumbPrint, makePseudoRandomBuffer, makeSHA1Thumbprint, pemToPrivateKey, privateDecrypt, privateDecrypt_long, privateDecrypt_native, privateKeyToPEM, publicEncrypt, publicEncrypt_long, publicEncrypt_native, publicKeyAndPrivateKeyMatches, readCertificationRequestInfo, readExtension, readNameForCrl, readTbsCertificate, reduceLength, removePadding, removeTrailingLF, rsaLengthPrivateKey, rsaLengthPublicKey, rsaLengthRsaPublicKey, split_der, toPem, toPem2, verifyCertificateChain, verifyCertificateOrClrSignature, verifyCertificateRevocationListSignature, verifyCertificateSignature, verifyChunkSignature, verifyChunkSignatureWithDerivedKeys, verifyCrlIssuedByCertificate, verifyMessageChunkSignature };

package/dist/source/index_web.js

@@ -66,6 +66,7 @@ __export(index_web_exports, {
   generatePrivateKey: () => generatePrivateKey,
   hexDump: () => hexDump,
   identifyPemType: () => identifyPemType,
+  isCrlIssuedByCertificate: () => isCrlIssuedByCertificate,
   isKeyObject: () => isKeyObject,
   makeMessageChunkSignature: () => makeMessageChunkSignature,
   makeMessageChunkSignatureWithDerivedKeys: () => makeMessageChunkSignatureWithDerivedKeys,
@@ -101,6 +102,7 @@ __export(index_web_exports, {
   verifyCertificateSignature: () => verifyCertificateSignature,
   verifyChunkSignature: () => verifyChunkSignature,
   verifyChunkSignatureWithDerivedKeys: () => verifyChunkSignatureWithDerivedKeys,
+  verifyCrlIssuedByCertificate: () => verifyCrlIssuedByCertificate,
   verifyMessageChunkSignature: () => verifyMessageChunkSignature
 });
 module.exports = __toCommonJS(index_web_exports);
@@ -689,7 +691,6 @@ function readTime(buffer, block) {
 var import_node_assert2 = __toESM(require("assert"));
 var import_node_constants = __toESM(require("constants"));
 var import_node_crypto2 = require("crypto");
-var import_jsrsasign = __toESM(require("jsrsasign"));
 
 // source/buffer_utils.ts
 var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (size) => {
@@ -879,8 +880,8 @@ function coerceCertificatePem(certificate) {
 }
 function extractPublicKeyFromCertificateSync(certificate) {
   certificate = coerceCertificatePem(certificate);
-  const key = import_jsrsasign.default.KEYUTIL.getKey(certificate);
-  const publicKeyAsPem = import_jsrsasign.default.KEYUTIL.getPEM(key);
+  const publicKeyObject = (0, import_node_crypto2.createPublicKey)(certificate);
+  const publicKeyAsPem = publicKeyObject.export({ format: "pem", type: "spki" }).toString();
   (0, import_node_assert2.default)(typeof publicKeyAsPem === "string");
   return publicKeyAsPem;
 }
@@ -1302,13 +1303,154 @@ function combine_der(certificates) {
   return Buffer.concat(certificates);
 }
 
+// source/explore_certificate_revocation_list.ts
+function readNameForCrl(buffer, block) {
+  return readDirectoryName(buffer, block);
+}
+function _readTbsCertList(buffer, blockInfo) {
+  const blocks = readStruct(buffer, blockInfo);
+  const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
+  if (hasOptionalVersion) {
+    const _version = readIntegerValue(buffer, blocks[0]);
+    const signature = readAlgorithmIdentifier(buffer, blocks[1]);
+    const issuer = readNameForCrl(buffer, blocks[2]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
+    const thisUpdate = readTime(buffer, blocks[3]);
+    const nextUpdate = readTime(buffer, blocks[4]);
+    const revokedCertificates = [];
+    if (blocks[5] && blocks[5].tag < 128) {
+      const list = readStruct(buffer, blocks[5]);
+      for (const r of list) {
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
+        revokedCertificates.push({
+          revocationDate,
+          userCertificate
+        });
+      }
+    }
+    const _ext0 = findBlockAtIndex(blocks, 0);
+    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
+  } else {
+    const signature = readAlgorithmIdentifier(buffer, blocks[0]);
+    const issuer = readNameForCrl(buffer, blocks[1]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
+    const thisUpdate = readTime(buffer, blocks[2]);
+    const nextUpdate = readTime(buffer, blocks[3]);
+    const revokedCertificates = [];
+    if (blocks[4] && blocks[4].tag < 128) {
+      const list = readStruct(buffer, blocks[4]);
+      for (const r of list) {
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
+        revokedCertificates.push({
+          revocationDate,
+          userCertificate
+        });
+      }
+    }
+    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
+  }
+}
+function exploreCertificateRevocationList(crl) {
+  const blockInfo = readTag(crl, 0);
+  const blocks = readStruct(crl, blockInfo);
+  const tbsCertList = _readTbsCertList(crl, blocks[0]);
+  const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
+  const signatureValue = readSignatureValueBin(crl, blocks[2]);
+  return { tbsCertList, signatureAlgorithm, signatureValue };
+}
+
+// source/verify_certificate_signature.ts
+var import_node_crypto3 = require("crypto");
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
+  const block_info = readTag(certificateOrCrl, 0);
+  const blocks = readStruct(certificateOrCrl, block_info);
+  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
+  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
+  const p = split_der(parentCertificate)[0];
+  const certPem = toPem(p, "CERTIFICATE");
+  const verify = (0, import_node_crypto3.createVerify)(signatureAlgorithm.identifier);
+  verify.update(bufferToBeSigned);
+  verify.end();
+  return verify.verify(certPem, signatureValue);
+}
+function verifyCertificateSignature(certificate, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+async function verifyCertificateChain(certificateChain) {
+  for (let index = 1; index < certificateChain.length; index++) {
+    const cert = certificateChain[index - 1];
+    const certParent = certificateChain[index];
+    const certParentInfo = exploreCertificate(certParent);
+    const keyUsage = certParentInfo.tbsCertificate.extensions?.keyUsage;
+    if (!keyUsage || !keyUsage.keyCertSign) {
+      return {
+        status: "BadCertificateIssuerUseNotAllowed",
+        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
+      };
+    }
+    const parentSignChild = verifyCertificateSignature(cert, certParent);
+    if (!parentSignChild) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "One of the certificate in the chain is not signing the previous certificate"
+      };
+    }
+    const certInfo = exploreCertificate(cert);
+    if (!certInfo.tbsCertificate.extensions) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate"
+      };
+    }
+    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate (parent)"
+      };
+    }
+    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
+      };
+    }
+  }
+  return {
+    status: "Good",
+    reason: `certificate chain is valid(length = ${certificateChain.length})`
+  };
+}
+
+// source/crl_utils.ts
+function isCrlIssuedByCertificate(crl, certificate) {
+  const crlInfo = exploreCertificateRevocationList(crl);
+  const certInfo = exploreCertificate(certificate);
+  return crlInfo.tbsCertList.issuerFingerprint === certInfo.tbsCertificate.subjectFingerPrint;
+}
+function verifyCrlIssuedByCertificate(crl, certificate) {
+  if (!isCrlIssuedByCertificate(crl, certificate)) {
+    return false;
+  }
+  return verifyCertificateRevocationListSignature(crl, certificate);
+}
+
 // source/crypto_utils2.ts
 var import_node_assert5 = __toESM(require("assert"));
-var import_jsrsasign2 = __toESM(require("jsrsasign"));
+var import_node_crypto4 = require("crypto");
 function rsaLengthPrivateKey(key) {
   const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(keyPem);
-  return a.n.toString(16).length / 2;
+  const keyObject = (0, import_node_crypto4.createPrivateKey)(keyPem);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  (0, import_node_assert5.default)(modulusLength, "Cannot determine modulus length from private key");
+  return modulusLength / 8;
 }
 function toPem2(raw_key, pem) {
   if (raw_key.hidden) {
@@ -1348,19 +1490,23 @@ function coerceRsaPublicKeyPem(publicKey) {
 function rsaLengthPublicKey(key) {
   key = coercePublicKeyPem(key);
   (0, import_node_assert5.default)(typeof key === "string");
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
+  const keyObject = (0, import_node_crypto4.createPublicKey)(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  (0, import_node_assert5.default)(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
 }
 function rsaLengthRsaPublicKey(key) {
   key = coerceRsaPublicKeyPem(key);
   (0, import_node_assert5.default)(typeof key === "string");
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
+  const keyObject = (0, import_node_crypto4.createPublicKey)(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  (0, import_node_assert5.default)(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
 }
 
 // source/derived_keys.ts
 var import_node_assert7 = __toESM(require("assert"));
-var import_node_crypto3 = require("crypto");
+var import_node_crypto5 = require("crypto");
 
 // source/explore_certificate.ts
 var import_node_assert6 = __toESM(require("assert"));
@@ -1389,7 +1535,7 @@ function exploreCertificateInfo(certificate) {
 
 // source/derived_keys.ts
 function HMAC_HASH(sha1or256, secret, message) {
-  return (0, import_node_crypto3.createHmac)(sha1or256, secret).update(message).digest();
+  return (0, import_node_crypto5.createHmac)(sha1or256, secret).update(message).digest();
 }
 function plus(buf1, buf2) {
   return Buffer.concat([buf1, buf2]);
@@ -1466,7 +1612,7 @@ function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
   const algorithm = derivedKeys_algorithm(derivedKeys);
   const key = derivedKeys.encryptingKey;
   const initVector = derivedKeys.initializationVector;
-  const cipher = (0, import_node_crypto3.createCipheriv)(algorithm, key, initVector);
+  const cipher = (0, import_node_crypto5.createCipheriv)(algorithm, key, initVector);
   cipher.setAutoPadding(false);
   const encrypted_chunks = [];
   encrypted_chunks.push(cipher.update(buffer));
@@ -1477,7 +1623,7 @@ function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
   const algorithm = derivedKeys_algorithm(derivedKeys);
   const key = derivedKeys.encryptingKey;
   const initVector = derivedKeys.initializationVector;
-  const cipher = (0, import_node_crypto3.createDecipheriv)(algorithm, key, initVector);
+  const cipher = (0, import_node_crypto5.createDecipheriv)(algorithm, key, initVector);
   cipher.setAutoPadding(false);
   const decrypted_chunks = [];
   decrypted_chunks.push(cipher.update(buffer));
@@ -1489,7 +1635,7 @@ function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
   (0, import_node_assert7.default)(Buffer.isBuffer(derivedKeys.signingKey));
   (0, import_node_assert7.default)(typeof derivedKeys.sha1or256 === "string");
   (0, import_node_assert7.default)(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
-  const signature = (0, import_node_crypto3.createHmac)(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
+  const signature = (0, import_node_crypto5.createHmac)(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
   (0, import_node_assert7.default)(signature.length === derivedKeys.signatureLength);
   return signature;
 }
@@ -1527,66 +1673,6 @@ function exploreAsn1(buffer) {
   dump(0, 0);
 }
 
-// source/explore_certificate_revocation_list.ts
-function readNameForCrl(buffer, block) {
-  return readDirectoryName(buffer, block);
-}
-function _readTbsCertList(buffer, blockInfo) {
-  const blocks = readStruct(buffer, blockInfo);
-  const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
-  if (hasOptionalVersion) {
-    const _version = readIntegerValue(buffer, blocks[0]);
-    const signature = readAlgorithmIdentifier(buffer, blocks[1]);
-    const issuer = readNameForCrl(buffer, blocks[2]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
-    const thisUpdate = readTime(buffer, blocks[3]);
-    const nextUpdate = readTime(buffer, blocks[4]);
-    const revokedCertificates = [];
-    if (blocks[5] && blocks[5].tag < 128) {
-      const list = readStruct(buffer, blocks[5]);
-      for (const r of list) {
-        const rr = readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = readTime(buffer, rr[1]);
-        revokedCertificates.push({
-          revocationDate,
-          userCertificate
-        });
-      }
-    }
-    const _ext0 = findBlockAtIndex(blocks, 0);
-    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
-  } else {
-    const signature = readAlgorithmIdentifier(buffer, blocks[0]);
-    const issuer = readNameForCrl(buffer, blocks[1]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
-    const thisUpdate = readTime(buffer, blocks[2]);
-    const nextUpdate = readTime(buffer, blocks[3]);
-    const revokedCertificates = [];
-    if (blocks[4] && blocks[4].tag < 128) {
-      const list = readStruct(buffer, blocks[4]);
-      for (const r of list) {
-        const rr = readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = readTime(buffer, rr[1]);
-        revokedCertificates.push({
-          revocationDate,
-          userCertificate
-        });
-      }
-    }
-    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
-  }
-}
-function exploreCertificateRevocationList(crl) {
-  const blockInfo = readTag(crl, 0);
-  const blocks = readStruct(crl, blockInfo);
-  const tbsCertList = _readTbsCertList(crl, blocks[0]);
-  const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
-  const signatureValue = readSignatureValueBin(crl, blocks[2]);
-  return { tbsCertList, signatureAlgorithm, signatureValue };
-}
-
 // source/explore_certificate_signing_request.ts
 function _readExtensionRequest(buffer) {
   const block = readTag(buffer, 0);
@@ -1834,74 +1920,8 @@ var Subject = class _Subject {
   }
 };
 
-// source/verify_certificate_signature.ts
-var import_node_crypto4 = require("crypto");
-function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
-  const block_info = readTag(certificateOrCrl, 0);
-  const blocks = readStruct(certificateOrCrl, block_info);
-  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
-  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
-  const p = split_der(parentCertificate)[0];
-  const certPem = toPem(p, "CERTIFICATE");
-  const verify = (0, import_node_crypto4.createVerify)(signatureAlgorithm.identifier);
-  verify.update(bufferToBeSigned);
-  verify.end();
-  return verify.verify(certPem, signatureValue);
-}
-function verifyCertificateSignature(certificate, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-async function verifyCertificateChain(certificateChain) {
-  for (let index = 1; index < certificateChain.length; index++) {
-    const cert = certificateChain[index - 1];
-    const certParent = certificateChain[index];
-    const certParentInfo = exploreCertificate(certParent);
-    const keyUsage = certParentInfo.tbsCertificate.extensions?.keyUsage;
-    if (!keyUsage || !keyUsage.keyCertSign) {
-      return {
-        status: "BadCertificateIssuerUseNotAllowed",
-        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
-      };
-    }
-    const parentSignChild = verifyCertificateSignature(cert, certParent);
-    if (!parentSignChild) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "One of the certificate in the chain is not signing the previous certificate"
-      };
-    }
-    const certInfo = exploreCertificate(cert);
-    if (!certInfo.tbsCertificate.extensions) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate"
-      };
-    }
-    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate (parent)"
-      };
-    }
-    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
-      };
-    }
-  }
-  return {
-    status: "Good",
-    reason: `certificate chain is valid(length = ${certificateChain.length})`
-  };
-}
-
 // source/x509/_crypto.ts
-var import_node_crypto5 = __toESM(require("crypto"));
+var import_node_crypto6 = __toESM(require("crypto"));
 var import_webcrypto = require("@peculiar/webcrypto");
 var x509 = __toESM(require("@peculiar/x509"));
 var x5092 = __toESM(require("@peculiar/x509"));
@@ -1909,7 +1929,7 @@ var doDebug3 = false;
 var _crypto;
 var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
 if (typeof window === "undefined") {
-  _crypto = import_node_crypto5.default;
+  _crypto = import_node_crypto6.default;
   if (!_crypto?.subtle || ignoreCrypto) {
     _crypto = new import_webcrypto.Crypto();
     doDebug3 && console.warn("using @peculiar/webcrypto");
@@ -1923,7 +1943,7 @@ if (typeof window === "undefined") {
   x509.cryptoProvider.set(crypto);
 }
 function getCrypto() {
-  return _crypto || crypto || import_node_crypto5.default;
+  return _crypto || crypto || import_node_crypto6.default;
 }
 
 // source/x509/create_key_pair.ts
@@ -6462,6 +6482,7 @@ var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, re
   generatePrivateKey,
   hexDump,
   identifyPemType,
+  isCrlIssuedByCertificate,
   isKeyObject,
   makeMessageChunkSignature,
   makeMessageChunkSignatureWithDerivedKeys,
@@ -6497,6 +6518,7 @@ var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, re
   verifyCertificateSignature,
   verifyChunkSignature,
   verifyChunkSignatureWithDerivedKeys,
+  verifyCrlIssuedByCertificate,
   verifyMessageChunkSignature
 });
 /*! Bundled license information: