npm - node-opcua-crypto - Versions diffs - 5.0.0 → 5.1.0 - Mend

node-opcua-crypto 5.0.0 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/{chunk-BIS3W2GR.mjs → chunk-ULG5CYBT.mjs} +164 -143
package/dist/chunk-ULG5CYBT.mjs.map +1 -0
package/dist/{chunk-ISIVVQGT.mjs → chunk-UXPULF3W.mjs} +9 -8
package/dist/chunk-UXPULF3W.mjs.map +1 -0
package/dist/index.d.mts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +181 -158
package/dist/index.js.map +1 -1
package/dist/index.mjs +6 -2
package/dist/source/index.d.mts +1 -1
package/dist/source/index.d.ts +1 -1
package/dist/source/index.js +166 -144
package/dist/source/index.js.map +1 -1
package/dist/source/index.mjs +5 -1
package/dist/source/index_web.d.mts +31 -3
package/dist/source/index_web.d.ts +31 -3
package/dist/source/index_web.js +166 -144
package/dist/source/index_web.js.map +1 -1
package/dist/source/index_web.mjs +5 -1
package/dist/source_nodejs/index.d.mts +2 -1
package/dist/source_nodejs/index.d.ts +2 -1
package/dist/source_nodejs/index.js +23 -23
package/dist/source_nodejs/index.js.map +1 -1
package/dist/source_nodejs/index.mjs +2 -2
package/package.json +3 -7
package/dist/chunk-BIS3W2GR.mjs.map +0 -1
package/dist/chunk-ISIVVQGT.mjs.map +0 -1

package/dist/{chunk-BIS3W2GR.mjs → chunk-ULG5CYBT.mjs} RENAMED Viewed

@@ -596,12 +596,12 @@ import assert2 from "assert";
 import constants from "constants";
 import {
   createHash,
+  createPublicKey,
   createSign,
   createVerify,
   privateDecrypt as privateDecrypt1,
   publicEncrypt as publicEncrypt1
 } from "crypto";
-import jsrsasign from "jsrsasign";
 // source/buffer_utils.ts
 var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (size) => {
@@ -791,8 +791,8 @@ function coerceCertificatePem(certificate) {
 }
 function extractPublicKeyFromCertificateSync(certificate) {
   certificate = coerceCertificatePem(certificate);
-  const key = jsrsasign.KEYUTIL.getKey(certificate);
-  const publicKeyAsPem = jsrsasign.KEYUTIL.getPEM(key);
+  const publicKeyObject = createPublicKey(certificate);
+  const publicKeyAsPem = publicKeyObject.export({ format: "pem", type: "spki" }).toString();
   assert2(typeof publicKeyAsPem === "string");
   return publicKeyAsPem;
 }
@@ -1214,13 +1214,154 @@ function combine_der(certificates) {
   return Buffer.concat(certificates);
 }
+// source/explore_certificate_revocation_list.ts
+function readNameForCrl(buffer, block) {
+  return readDirectoryName(buffer, block);
+}
+function _readTbsCertList(buffer, blockInfo) {
+  const blocks = readStruct(buffer, blockInfo);
+  const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
+  if (hasOptionalVersion) {
+    const _version = readIntegerValue(buffer, blocks[0]);
+    const signature = readAlgorithmIdentifier(buffer, blocks[1]);
+    const issuer = readNameForCrl(buffer, blocks[2]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
+    const thisUpdate = readTime(buffer, blocks[3]);
+    const nextUpdate = readTime(buffer, blocks[4]);
+    const revokedCertificates = [];
+    if (blocks[5] && blocks[5].tag < 128) {
+      const list = readStruct(buffer, blocks[5]);
+      for (const r of list) {
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
+        revokedCertificates.push({
+          revocationDate,
+          userCertificate
+        });
+      }
+    }
+    const _ext0 = findBlockAtIndex(blocks, 0);
+    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
+  } else {
+    const signature = readAlgorithmIdentifier(buffer, blocks[0]);
+    const issuer = readNameForCrl(buffer, blocks[1]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
+    const thisUpdate = readTime(buffer, blocks[2]);
+    const nextUpdate = readTime(buffer, blocks[3]);
+    const revokedCertificates = [];
+    if (blocks[4] && blocks[4].tag < 128) {
+      const list = readStruct(buffer, blocks[4]);
+      for (const r of list) {
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
+        revokedCertificates.push({
+          revocationDate,
+          userCertificate
+        });
+      }
+    }
+    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
+  }
+}
+function exploreCertificateRevocationList(crl) {
+  const blockInfo = readTag(crl, 0);
+  const blocks = readStruct(crl, blockInfo);
+  const tbsCertList = _readTbsCertList(crl, blocks[0]);
+  const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
+  const signatureValue = readSignatureValueBin(crl, blocks[2]);
+  return { tbsCertList, signatureAlgorithm, signatureValue };
+}
+// source/verify_certificate_signature.ts
+import { createVerify as createVerify2 } from "crypto";
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
+  const block_info = readTag(certificateOrCrl, 0);
+  const blocks = readStruct(certificateOrCrl, block_info);
+  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
+  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
+  const p = split_der(parentCertificate)[0];
+  const certPem = toPem(p, "CERTIFICATE");
+  const verify = createVerify2(signatureAlgorithm.identifier);
+  verify.update(bufferToBeSigned);
+  verify.end();
+  return verify.verify(certPem, signatureValue);
+}
+function verifyCertificateSignature(certificate, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+async function verifyCertificateChain(certificateChain) {
+  for (let index = 1; index < certificateChain.length; index++) {
+    const cert = certificateChain[index - 1];
+    const certParent = certificateChain[index];
+    const certParentInfo = exploreCertificate(certParent);
+    const keyUsage = certParentInfo.tbsCertificate.extensions?.keyUsage;
+    if (!keyUsage || !keyUsage.keyCertSign) {
+      return {
+        status: "BadCertificateIssuerUseNotAllowed",
+        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
+      };
+    }
+    const parentSignChild = verifyCertificateSignature(cert, certParent);
+    if (!parentSignChild) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "One of the certificate in the chain is not signing the previous certificate"
+      };
+    }
+    const certInfo = exploreCertificate(cert);
+    if (!certInfo.tbsCertificate.extensions) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate"
+      };
+    }
+    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate (parent)"
+      };
+    }
+    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
+      };
+    }
+  }
+  return {
+    status: "Good",
+    reason: `certificate chain is valid(length = ${certificateChain.length})`
+  };
+}
+// source/crl_utils.ts
+function isCrlIssuedByCertificate(crl, certificate) {
+  const crlInfo = exploreCertificateRevocationList(crl);
+  const certInfo = exploreCertificate(certificate);
+  return crlInfo.tbsCertList.issuerFingerprint === certInfo.tbsCertificate.subjectFingerPrint;
+}
+function verifyCrlIssuedByCertificate(crl, certificate) {
+  if (!isCrlIssuedByCertificate(crl, certificate)) {
+    return false;
+  }
+  return verifyCertificateRevocationListSignature(crl, certificate);
+}
 // source/crypto_utils2.ts
 import assert5 from "assert";
-import jsrsasign2 from "jsrsasign";
+import { createPrivateKey, createPublicKey as createPublicKey2 } from "crypto";
 function rsaLengthPrivateKey(key) {
   const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
-  const a = jsrsasign2.KEYUTIL.getKey(keyPem);
-  return a.n.toString(16).length / 2;
+  const keyObject = createPrivateKey(keyPem);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert5(modulusLength, "Cannot determine modulus length from private key");
+  return modulusLength / 8;
 }
 function toPem2(raw_key, pem) {
   if (raw_key.hidden) {
@@ -1260,14 +1401,18 @@ function coerceRsaPublicKeyPem(publicKey) {
 function rsaLengthPublicKey(key) {
   key = coercePublicKeyPem(key);
   assert5(typeof key === "string");
-  const a = jsrsasign2.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
+  const keyObject = createPublicKey2(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert5(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
 }
 function rsaLengthRsaPublicKey(key) {
   key = coerceRsaPublicKeyPem(key);
   assert5(typeof key === "string");
-  const a = jsrsasign2.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
+  const keyObject = createPublicKey2(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert5(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
 }
 // source/derived_keys.ts
@@ -1439,66 +1584,6 @@ function exploreAsn1(buffer) {
   dump(0, 0);
 }
-// source/explore_certificate_revocation_list.ts
-function readNameForCrl(buffer, block) {
-  return readDirectoryName(buffer, block);
-}
-function _readTbsCertList(buffer, blockInfo) {
-  const blocks = readStruct(buffer, blockInfo);
-  const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
-  if (hasOptionalVersion) {
-    const _version = readIntegerValue(buffer, blocks[0]);
-    const signature = readAlgorithmIdentifier(buffer, blocks[1]);
-    const issuer = readNameForCrl(buffer, blocks[2]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
-    const thisUpdate = readTime(buffer, blocks[3]);
-    const nextUpdate = readTime(buffer, blocks[4]);
-    const revokedCertificates = [];
-    if (blocks[5] && blocks[5].tag < 128) {
-      const list = readStruct(buffer, blocks[5]);
-      for (const r of list) {
-        const rr = readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = readTime(buffer, rr[1]);
-        revokedCertificates.push({
-          revocationDate,
-          userCertificate
-        });
-      }
-    }
-    const _ext0 = findBlockAtIndex(blocks, 0);
-    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
-  } else {
-    const signature = readAlgorithmIdentifier(buffer, blocks[0]);
-    const issuer = readNameForCrl(buffer, blocks[1]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
-    const thisUpdate = readTime(buffer, blocks[2]);
-    const nextUpdate = readTime(buffer, blocks[3]);
-    const revokedCertificates = [];
-    if (blocks[4] && blocks[4].tag < 128) {
-      const list = readStruct(buffer, blocks[4]);
-      for (const r of list) {
-        const rr = readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = readTime(buffer, rr[1]);
-        revokedCertificates.push({
-          revocationDate,
-          userCertificate
-        });
-      }
-    }
-    return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
-  }
-}
-function exploreCertificateRevocationList(crl) {
-  const blockInfo = readTag(crl, 0);
-  const blocks = readStruct(crl, blockInfo);
-  const tbsCertList = _readTbsCertList(crl, blocks[0]);
-  const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
-  const signatureValue = readSignatureValueBin(crl, blocks[2]);
-  return { tbsCertList, signatureAlgorithm, signatureValue };
-}
 // source/explore_certificate_signing_request.ts
 function _readExtensionRequest(buffer) {
   const block = readTag(buffer, 0);
@@ -1746,72 +1831,6 @@ var Subject = class _Subject {
   }
 };
-// source/verify_certificate_signature.ts
-import { createVerify as createVerify2 } from "crypto";
-function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
-  const block_info = readTag(certificateOrCrl, 0);
-  const blocks = readStruct(certificateOrCrl, block_info);
-  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
-  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
-  const p = split_der(parentCertificate)[0];
-  const certPem = toPem(p, "CERTIFICATE");
-  const verify = createVerify2(signatureAlgorithm.identifier);
-  verify.update(bufferToBeSigned);
-  verify.end();
-  return verify.verify(certPem, signatureValue);
-}
-function verifyCertificateSignature(certificate, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-async function verifyCertificateChain(certificateChain) {
-  for (let index = 1; index < certificateChain.length; index++) {
-    const cert = certificateChain[index - 1];
-    const certParent = certificateChain[index];
-    const certParentInfo = exploreCertificate(certParent);
-    const keyUsage = certParentInfo.tbsCertificate.extensions?.keyUsage;
-    if (!keyUsage || !keyUsage.keyCertSign) {
-      return {
-        status: "BadCertificateIssuerUseNotAllowed",
-        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
-      };
-    }
-    const parentSignChild = verifyCertificateSignature(cert, certParent);
-    if (!parentSignChild) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "One of the certificate in the chain is not signing the previous certificate"
-      };
-    }
-    const certInfo = exploreCertificate(cert);
-    if (!certInfo.tbsCertificate.extensions) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate"
-      };
-    }
-    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate (parent)"
-      };
-    }
-    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
-      };
-    }
-  }
-  return {
-    status: "Good",
-    reason: `certificate chain is valid(length = ${certificateChain.length})`
-  };
-}
 // source/x509/_crypto.ts
 import nativeCrypto from "crypto";
 import { Crypto as PeculiarWebCrypto } from "@peculiar/webcrypto";
@@ -6367,6 +6386,14 @@ export {
   exploreCertificate,
   split_der,
   combine_der,
+  readNameForCrl,
+  exploreCertificateRevocationList,
+  verifyCertificateOrClrSignature,
+  verifyCertificateSignature,
+  verifyCertificateRevocationListSignature,
+  verifyCertificateChain,
+  isCrlIssuedByCertificate,
+  verifyCrlIssuedByCertificate,
   rsaLengthPrivateKey,
   toPem2,
   coercePrivateKeyPem,
@@ -6387,8 +6414,6 @@ export {
   makeMessageChunkSignatureWithDerivedKeys,
   verifyChunkSignatureWithDerivedKeys,
   exploreAsn1,
-  readNameForCrl,
-  exploreCertificateRevocationList,
   readCertificationRequestInfo,
   exploreCertificateSigningRequest,
   explorePrivateKey,
@@ -6397,10 +6422,6 @@ export {
   publicKeyAndPrivateKeyMatches,
   certificateMatchesPrivateKey,
   Subject,
-  verifyCertificateOrClrSignature,
-  verifyCertificateSignature,
-  verifyCertificateRevocationListSignature,
-  verifyCertificateChain,
   generateKeyPair,
   generatePrivateKey,
   privateKeyToPEM,
@@ -6480,4 +6501,4 @@ asn1js/build/index.es.js:
    *
    *)
 */
-//# sourceMappingURL=chunk-BIS3W2GR.mjs.map
+//# sourceMappingURL=chunk-ULG5CYBT.mjs.map