samlesa 2.12.3

package/src/types.ts

@@ -0,0 +1,153 @@
+import { LoginResponseTemplate } from './libsaml.js';
+
+export { IdentityProvider as IdentityProviderConstructor } from './entity-idp.js';
+export { IdpMetadata as IdentityProviderMetadata } from './metadata-idp.js';
+
+export { ServiceProvider as ServiceProviderConstructor } from './entity-sp.js';
+export { SpMetadata as ServiceProviderMetadata } from './metadata-sp.js';
+
+export type MetadataFile = string | Buffer;
+
+type SSOService = {
+  isDefault?: boolean;
+  Binding: string;
+  Location: string;
+};
+// 1. 定义服务名称类型
+export type ServiceName = {
+  value: string;
+  /** @description 语言标识符（如 en/zh-CN） */
+  lang?: string;
+};
+
+// 2. 定义请求属性类型
+export type RequestedAttribute = {
+  name: string;
+  friendlyName?: string;
+  isRequired?: boolean;
+  nameFormat?: string;
+  attributeValue?: string[];
+};
+
+// 3. 定义属性消费服务类型
+export type AttributeConsumingService = {
+  isDefault: boolean;
+  serviceName: ServiceName[]; // 修复点：确保属性名为 serviceName（驼峰命名）
+  serviceDescription: ServiceName[]; // 修复点：确保属性名为 serviceName（驼峰命名）
+  requestedAttributes: RequestedAttribute[];
+};
+
+// 4. 定义顶层服务配置类型
+export type AttrService = AttributeConsumingService[];
+export interface MetadataIdpOptions {
+  entityID?: string;
+  signingCert?: string | Buffer | (string | Buffer)[];
+  encryptCert?: string | Buffer | (string | Buffer)[];
+  wantAuthnRequestsSigned?: boolean;
+  nameIDFormat?: string[];
+  singleSignOnService?: SSOService[];
+  singleLogoutService?: SSOService[];
+  requestSignatureAlgorithm?: string;
+}
+
+export type MetadataIdpConstructor =
+  | MetadataIdpOptions
+  | MetadataFile;
+
+export interface MetadataSpOptions {
+  entityID?: string;
+  signingCert?: string | Buffer | (string | Buffer)[];
+  encryptCert?: string | Buffer | (string | Buffer)[];
+  authnRequestsSigned?: boolean;
+  wantAssertionsSigned?: boolean;
+  wantMessageSigned?: boolean;
+  signatureConfig?: { [key: string]: any };
+  nameIDFormat?: string[];
+  singleSignOnService?: SSOService[];
+  singleLogoutService?: SSOService[];
+  assertionConsumerService?: SSOService[];
+  attributeConsumingService?: AttributeConsumingService[];
+  elementsOrder?: string[];
+}
+
+export type MetadataSpConstructor =
+  | MetadataSpOptions
+  | MetadataFile;
+
+export type EntitySetting = ServiceProviderSettings & IdentityProviderSettings;
+
+export interface SignatureConfig {
+  prefix?: string;
+  location?: {
+    reference?: string;
+    action?: 'append' | 'prepend' | 'before' | 'after';
+  };
+}
+
+export interface SAMLDocumentTemplate {
+  context?: string;
+}
+
+export type ServiceProviderSettings = {
+  metadata?: string | Buffer;
+  entityID?: string;
+  authnRequestsSigned?: boolean;
+  wantAssertionsSigned?: boolean;
+  wantMessageSigned?: boolean;
+  wantLogoutResponseSigned?: boolean;
+  wantLogoutRequestSigned?: boolean;
+  privateKey?: string | Buffer;
+  privateKeyPass?: string;
+  isAssertionEncrypted?: boolean;
+  requestSignatureAlgorithm?: string;
+  encPrivateKey?: string | Buffer;
+  encPrivateKeyPass?: string | Buffer;
+  assertionConsumerService?: SSOService[];
+  singleLogoutService?: SSOService[];
+  signatureConfig?: SignatureConfig;
+  loginRequestTemplate?: SAMLDocumentTemplate;
+  logoutRequestTemplate?: SAMLDocumentTemplate;
+  signingCert?: string | Buffer | (string | Buffer)[];
+  encryptCert?: string | Buffer | (string | Buffer)[];
+  transformationAlgorithms?: string[];
+  nameIDFormat?: string[];
+  allowCreate?: boolean;
+  // will be deprecated soon
+  relayState?: string;
+  // https://github.com/tngan/samlify/issues/337
+  clockDrifts?: [number, number];
+};
+
+export type IdentityProviderSettings = {
+  metadata?: string | Buffer;
+
+  /** signature algorithm */
+  requestSignatureAlgorithm?: string;
+
+  /** template of login response */
+  loginResponseTemplate?: LoginResponseTemplate;
+
+  /** template of logout request */
+  logoutRequestTemplate?: SAMLDocumentTemplate;
+
+  /** customized function used for generating request ID */
+  generateID?: () => string;
+
+  entityID?: string;
+  privateKey?: string | Buffer;
+  privateKeyPass?: string;
+  signingCert?: string | Buffer | (string | Buffer)[];
+  encryptCert?: string | Buffer | (string | Buffer)[];
+  nameIDFormat?: string[];
+  singleSignOnService?: SSOService[];
+  singleLogoutService?: SSOService[];
+  isAssertionEncrypted?: boolean;
+  encPrivateKey?: string | Buffer;
+  encPrivateKeyPass?: string;
+  messageSigningOrder?: string;
+  wantLogoutRequestSigned?: boolean;
+  wantLogoutResponseSigned?: boolean;
+  wantAuthnRequestsSigned?: boolean;
+  wantLogoutRequestSignedResponseSigned?: boolean;
+  tagPrefix?: { [key: string]: string };
+};

package/src/urn.ts

@@ -0,0 +1,211 @@
+/**
+* @file urn.ts
+* @author tngan
+* @desc  Includes all keywords need in samlify
+*/
+
+export enum BindingNamespace {
+  Redirect = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+  Post = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+  SimpleSign = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
+  Artifact = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
+}
+
+export enum MessageSignatureOrder {
+  STE = 'sign-then-encrypt',
+  ETS = 'encrypt-then-sign'
+}
+
+export enum StatusCode {
+  // top-tier
+  Success = 'urn:oasis:names:tc:SAML:2.0:status:Success',
+  Requester = 'urn:oasis:names:tc:SAML:2.0:status:Requester',
+  Responder = 'urn:oasis:names:tc:SAML:2.0:status:Responder',
+  VersionMismatch = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
+  // second-tier to provide more information
+  AuthFailed = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
+  InvalidAttrNameOrValue = 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
+  InvalidNameIDPolicy = 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
+  NoAuthnContext = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
+  NoAvailableIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
+  NoPassive = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
+  NoSupportedIDP = 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
+  PartialLogout = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
+  ProxyCountExceeded = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
+  RequestDenied = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
+  RequestUnsupported = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
+  RequestVersionDeprecated = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
+  RequestVersionTooHigh = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
+  RequestVersionTooLow = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
+  ResourceNotRecognized = 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
+  TooManyResponses = 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
+  UnknownAttrProfile = 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
+  UnknownPrincipal = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
+  UnsupportedBinding = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
+}
+
+const namespace = {
+  binding: {
+    redirect: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+    post: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+    simpleSign: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
+    artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+  },
+  names: {
+    protocol: 'urn:oasis:names:tc:SAML:2.0:protocol',
+    assertion: 'urn:oasis:names:tc:SAML:2.0:assertion',
+    metadata: 'urn:oasis:names:tc:SAML:2.0:metadata',
+    userLogout: 'urn:oasis:names:tc:SAML:2.0:logout:user',
+    adminLogout: 'urn:oasis:names:tc:SAML:2.0:logout:admin',
+  },
+  authnContextClassRef: {
+    password: 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
+    passwordProtectedTransport: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
+  },
+  format: {
+    emailAddress: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    persistent: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+    transient: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+    entity: 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
+    unspecified: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+    kerberos: 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos',
+    windowsDomainQualifiedName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName',
+    x509SubjectName: 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName',
+  },
+  statusCode: {
+    // permissible top-level status codes
+    success: 'urn:oasis:names:tc:SAML:2.0:status:Success',
+    requester: 'urn:oasis:names:tc:SAML:2.0:status:Requester',
+    responder: 'urn:oasis:names:tc:SAML:2.0:status:Responder',
+    versionMismatch: 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch',
+    // second-level status codes
+    authFailed: 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed',
+    invalidAttrNameOrValue: 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue',
+    invalidNameIDPolicy: 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy',
+    noAuthnContext: 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext',
+    noAvailableIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP',
+    noPassive: 'urn:oasis:names:tc:SAML:2.0:status:NoPassive',
+    noSupportedIDP: 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP',
+    partialLogout: 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout',
+    proxyCountExceeded: 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded',
+    requestDenied: 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied',
+    requestUnsupported: 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported',
+    requestVersionDeprecated: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated',
+    requestVersionTooHigh: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh',
+    requestVersionTooLow: 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow',
+    resourceNotRecognized: 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized',
+    tooManyResponses: 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses',
+    unknownAttrProfile: 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile',
+    unknownPrincipal: 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal',
+    unsupportedBinding: 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding',
+  },
+};
+
+const tags = {
+  request: {
+    AllowCreate: '{AllowCreate}',
+    AssertionConsumerServiceURL: '{AssertionConsumerServiceURL}',
+    AuthnContextClassRef: '{AuthnContextClassRef}',
+    AssertionID: '{AssertionID}',
+    Audience: '{Audience}',
+    AuthnStatement: '{AuthnStatement}',
+    AttributeStatement: '{AttributeStatement}',
+    ConditionsNotBefore: '{ConditionsNotBefore}',
+    ConditionsNotOnOrAfter: '{ConditionsNotOnOrAfter}',
+    Destination: '{Destination}',
+    EntityID: '{EntityID}',
+    ID: '{ID}',
+    Issuer: '{Issuer}',
+    IssueInstant: '{IssueInstant}',
+    InResponseTo: '{InResponseTo}',
+    NameID: '{NameID}',
+    NameIDFormat: '{NameIDFormat}',
+    ProtocolBinding: '{ProtocolBinding}',
+    SessionIndex: '{SessionIndex}',
+    SubjectRecipient: '{SubjectRecipient}',
+    SubjectConfirmationDataNotOnOrAfter: '{SubjectConfirmationDataNotOnOrAfter}',
+    StatusCode: '{StatusCode}',
+  },
+  xmlTag: {
+    loginRequest: 'AuthnRequest',
+    logoutRequest: 'LogoutRequest',
+    loginResponse: 'Response',
+    logoutResponse: 'LogoutResponse',
+  },
+};
+
+const messageConfigurations = {
+  signingOrder: {
+    SIGN_THEN_ENCRYPT: 'sign-then-encrypt',
+    ENCRYPT_THEN_SIGN: 'encrypt-then-sign',
+  },
+};
+
+const algorithms = {
+  signature: {
+    RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+    RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+    RSA_SHA512: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
+  },
+  encryption: {
+    data: {
+      AES_128: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc',
+      AES_256: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
+      AES_256_GCM: 'http://www.w3.org/2009/xmlenc11#aes256-gcm',
+      TRI_DEC: 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc',
+      AES_128_GCM: 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
+    },
+    key: {
+      RSA_OAEP_MGF1P: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
+      RSA_1_5: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
+    },
+  },
+  digest: {
+    'http://www.w3.org/2000/09/xmldsig#rsa-sha1': 'http://www.w3.org/2000/09/xmldsig#sha1',
+    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': 'http://www.w3.org/2001/04/xmlenc#sha256',
+    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512': 'http://www.w3.org/2001/04/xmlenc#sha512', // support hashing algorithm sha512 in xml-crypto after 0.8.0
+  },
+};
+
+export enum ParserType {
+  SAMLRequest = 'SAMLRequest',
+  SAMLResponse = 'SAMLResponse',
+  LogoutRequest = 'LogoutRequest',
+  LogoutResponse = 'LogoutResponse'
+}
+
+const wording = {
+  urlParams: {
+    samlRequest: 'SAMLRequest',
+    samlResponse: 'SAMLResponse',
+    logoutRequest: 'LogoutRequest',
+    logoutResponse: 'LogoutResponse',
+    sigAlg: 'SigAlg',
+    signature: 'Signature',
+    relayState: 'RelayState',
+  },
+  binding: {
+    redirect: 'redirect',
+    post: 'post',
+    simpleSign: 'simpleSign',
+    artifact: 'artifact',
+  },
+  certUse: {
+    signing: 'signing',
+    encrypt: 'encryption',
+  },
+  metadata: {
+    sp: 'metadata-sp',
+    idp: 'metadata-idp',
+  },
+};
+
+// https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP
+// some idps restrict the order of elements in entity descriptors
+const elementsOrder = {
+  default: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService','AttributeConsumingService'],
+  onelogin: ['KeyDescriptor', 'NameIDFormat', 'SingleLogoutService', 'AssertionConsumerService','AttributeConsumingService'],
+  shibboleth: ['KeyDescriptor', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService'],
+};
+
+export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };

package/src/utility.ts

@@ -0,0 +1,248 @@
+/**
+* @file utility.ts
+* @author tngan
+* @desc  Library for some common functions (e.g. de/inflation, en/decoding)
+*/
+import { pki, util, asn1 } from 'node-forge';
+import { X509Certificate } from 'node:crypto';
+
+
+import { inflate, deflate } from 'pako';
+
+const BASE64_STR = 'base64';
+
+/**
+ * @desc Mimic lodash.zipObject
+ * @param arr1 {string[]}
+ * @param arr2 {[]}
+ */
+export function zipObject(arr1: string[], arr2: any[], skipDuplicated = true) {
+  return arr1.reduce((res, l, i) => {
+
+    if (skipDuplicated) {
+      res[l] = arr2[i];
+      return res;
+    }
+    // if key exists, aggregate with array in order to get rid of duplicate key
+    if (res[l] !== undefined) {
+      res[l] = Array.isArray(res[l])
+        ? res[l].concat(arr2[i])
+        : [res[l]].concat(arr2[i]);
+      return res;
+    }
+
+    res[l] = arr2[i];
+    return res;
+
+  }, {});
+}
+/**
+ * @desc Alternative to lodash.flattenDeep
+ * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_flattendeep
+ * @param input {[]}
+ */
+export function flattenDeep(input: any[]) {
+  return Array.isArray(input)
+  ? input.reduce( (a, b) => a.concat(flattenDeep(b)) , [])
+  : [input];
+}
+/**
+ * @desc Alternative to lodash.last
+ * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_last
+ * @param input {[]}
+ */
+export function last(input: any[]) {
+  return input.slice(-1)[0];
+}
+/**
+ * @desc Alternative to lodash.uniq
+ * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_uniq
+ * @param input {string[]}
+ */
+export function uniq(input: string[]) {
+  const set = new Set(input);
+  return [... set];
+}
+/**
+ * @desc Alternative to lodash.get
+ * @reference https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_get
+ * @param obj
+ * @param path
+ * @param defaultValue
+ */
+export function get(obj, path, defaultValue) {
+  return path.split('.')
+  .reduce((a, c) => (a && a[c] ? a[c] : (defaultValue || null)), obj);
+}
+/**
+ * @desc Check if the input is string
+ * @param {any} input
+ */
+export function isString(input: any) {
+  return typeof input === 'string';
+}
+/**
+* @desc Encode string with base64 format
+* @param  {string} message                       plain-text message
+* @return {string} base64 encoded string
+*/
+function base64Encode(message: string | number[]) {
+  return Buffer.from(message as string).toString(BASE64_STR);
+}
+/**
+* @desc Decode string from base64 format
+* @param  {string} base64Message                 encoded string
+* @param  {boolean} isBytes                      determine the return value type (True: bytes False: string)
+* @return {bytes/string}  decoded bytes/string depends on isBytes, default is {string}
+*/
+export function base64Decode(base64Message: string, isBytes?: boolean): string | Buffer {
+  const bytes = Buffer.from(base64Message, BASE64_STR);
+  return Boolean(isBytes) ? bytes : bytes.toString();
+}
+/**
+* @desc Compress the string
+* @param  {string} message
+* @return {string} compressed string
+*/
+function deflateString(message: string): number[] {
+  const input = Array.prototype.map.call(message, char => char.charCodeAt(0));
+  return Array.from(deflate(input, { raw: true }));
+}
+/**
+* @desc Decompress the compressed string
+* @param  {string} compressedString
+* @return {string} decompressed string
+*/
+export function inflateString(compressedString: string): string {
+  const inputBuffer = Buffer.from(compressedString, BASE64_STR);
+  const input = Array.prototype.map.call(inputBuffer.toString('binary'), char => char.charCodeAt(0));
+  return Array.from(inflate(input, { raw: true }))
+    .map((byte: number) => String.fromCharCode(byte))
+    .join('');
+}
+/**
+* @desc Abstract the normalizeCerString and normalizePemString
+* @param {buffer} File stream or string
+* @param {string} String for header and tail
+* @return {string} A formatted certificate string
+*/
+function _normalizeCerString(bin: string | Buffer, format: string) {
+  return bin.toString().replace(/\n/g, '').replace(/\r/g, '').replace(`-----BEGIN ${format}-----`, '').replace(`-----END ${format}-----`, '').replace(/ /g, '').replace(/\t/g, '');
+}
+/**
+* @desc Parse the .cer to string format without line break, header and footer
+* @param  {string} certString     declares the certificate contents
+* @return {string} certificiate in string format
+*/
+function normalizeCerString(certString: string | Buffer) {
+  return _normalizeCerString(certString, 'CERTIFICATE');
+}
+/**
+* @desc Normalize the string in .pem format without line break, header and footer
+* @param  {string} pemString
+* @return {string} private key in string format
+*/
+function normalizePemString(pemString: string | Buffer) {
+  return _normalizeCerString(pemString.toString(), 'RSA PRIVATE KEY');
+}
+/**
+* @desc Return the complete URL
+* @param  {object} req                   HTTP request
+* @return {string} URL
+*/
+function getFullURL(req) {
+  return `${req.protocol}://${req.get('host')}${req.originalUrl}`;
+}
+/**
+* @desc Parse input string, return default value if it is undefined
+* @param  {string/boolean}
+* @return {boolean}
+*/
+function parseString(str, defaultValue = '') {
+  return str || defaultValue;
+}
+/**
+* @desc Override the object by another object (rtl)
+* @param  {object} default object
+* @param  {object} object applied to the default object
+* @return {object} result object
+*/
+function applyDefault(obj1, obj2) {
+  return Object.assign({}, obj1, obj2);
+}
+/**
+* @desc Get public key in pem format from the certificate included in the metadata
+* @param {string} x509 certificate
+* @return {string} public key fetched from the certificate
+*/
+function getPublicKeyPemFromCertificate(x509CertificateString: string) {
+  const certDerBytes = util.decode64(x509CertificateString);
+  const obj = asn1.fromDer(certDerBytes);
+  const cert = pki.certificateFromAsn1(obj);
+  return pki.publicKeyToPem(cert.publicKey);
+}
+
+
+
+/*function getPublicKeyPemFromCertificate(x509Certificate: string): string {
+  // 将 Base64 字符串转为 Buffer（DER 编码）
+  const derBuffer = Buffer.from(x509Certificate, 'base64');
+
+  // 解析 X.509 证书
+  const cert =  new X509Certificate(derBuffer);
+
+  // 直接获取公钥的 PEM 格式
+  console.log(cert.publicKey?.toString())
+  console.log("这就是我的打印")
+  return cert.publicKey?.toString();
+}*/
+/**
+* @desc Read private key from pem-formatted string
+* @param {string | Buffer} keyString pem-formatted string
+* @param {string} protected passphrase of the key
+* @return {string} string in pem format
+* If passphrase is used to protect the .pem content (recommend)
+*/
+export function readPrivateKey(keyString: string | Buffer, passphrase: string | undefined, isOutputString?: boolean) {
+  return isString(passphrase) ? this.convertToString(pki.privateKeyToPem(pki.decryptRsaPrivateKey(String(keyString), passphrase)), isOutputString) : keyString;
+}
+/**
+* @desc Inline syntax sugar
+*/
+function convertToString(input, isOutputString) {
+  return Boolean(isOutputString) ? String(input) : input;
+}
+/**
+ * @desc Check if the input is an array with non-zero size
+ */
+export function isNonEmptyArray(a:any) {
+  return Array.isArray(a) && a.length > 0;
+}
+
+export function castArrayOpt<T>(a?: T | T[]): T[] {
+  if (a === undefined) return []
+  return Array.isArray(a) ? a : [a]
+}
+
+export function notEmpty<TValue>(value: TValue | null | undefined): value is TValue {
+  return value !== null && value !== undefined;
+}
+
+const utility = {
+  isString,
+  base64Encode,
+  base64Decode,
+  deflateString,
+  inflateString,
+  normalizeCerString,
+  normalizePemString,
+  getFullURL,
+  parseString,
+  applyDefault,
+  getPublicKeyPemFromCertificate,
+  readPrivateKey,
+  convertToString,
+  isNonEmptyArray,
+};
+
+export default utility;

package/src/validator.ts

@@ -0,0 +1,44 @@
+// unit is ms
+type DriftTolerance = [number, number];
+
+function verifyTime(
+  utcNotBefore: string | undefined,
+  utcNotOnOrAfter: string | undefined,
+  drift: DriftTolerance = [0, 0]
+): boolean {
+
+  const now = new Date();
+
+  if (!utcNotBefore && !utcNotOnOrAfter) {
+    // show warning because user intends to have time check but the document doesn't include corresponding information
+    console.warn('You intend to have time validation however the document doesn\'t include the valid range.');
+    return true; 
+  }
+
+  let notBeforeLocal: Date | null = null;
+  let notOnOrAfterLocal: Date | null = null;
+
+  const [notBeforeDrift, notOnOrAfterDrift] = drift;
+
+  if (utcNotBefore && !utcNotOnOrAfter) {
+    notBeforeLocal = new Date(utcNotBefore);
+    return +notBeforeLocal + notBeforeDrift <= +now;
+  }
+  if (!utcNotBefore && utcNotOnOrAfter) {
+    notOnOrAfterLocal = new Date(utcNotOnOrAfter);
+    return +now < +notOnOrAfterLocal + notOnOrAfterDrift;
+  }
+
+  notBeforeLocal = new Date(utcNotBefore!);
+  notOnOrAfterLocal = new Date(utcNotOnOrAfter!);
+
+  return (
+    +notBeforeLocal + notBeforeDrift <= +now &&
+    +now < +notOnOrAfterLocal + notOnOrAfterDrift
+  );
+
+}
+
+export {
+  verifyTime
+};

package/tsconfig.json

@@ -0,0 +1,38 @@
+{
+  "compilerOptions": {
+
+    "skipLibCheck": true,
+    "target": "ESNext",
+    "module": "NodeNext",
+    "moduleResolution": "nodenext",
+    "declaration": true,
+    "declarationDir": "types",
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "downlevelIteration": true,
+    "sourceMap": true,
+    "outDir": "./build",
+    "baseUrl": "./",
+    "removeComments": false,
+    "strictNullChecks": true,
+    "esModuleInterop": true,
+    "paths": {},
+    "types": [
+      "node"
+  ],
+    "lib": [
+      "dom",
+    ]
+  },
+  "atom": { "rewriteTsconfig": false },
+  "exclude": [
+    "dist",
+    "examples",
+    "build",
+    "node_modules",
+    "types/**/*.ts",
+    "test/**/*.ts"
+  ],
+  "compileOnSave": false,
+  "buildOnSave": false
+}