mirror of
https://git.coolaj86.com/coolaj86/bluecrypt-keypairs.js
synced 2025-04-21 14:20:37 +00:00
190 lines
5.2 KiB
JavaScript
190 lines
5.2 KiB
JavaScript
// Copyright 2018-present AJ ONeal. All rights reserved
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
(function (exports) {
|
|
'use strict';
|
|
|
|
var ASN1 = exports.ASN1;
|
|
var Enc = exports.Enc;
|
|
var PEM = exports.PEM;
|
|
var X509 = exports.x509;
|
|
var Keypairs = exports.Keypairs;
|
|
|
|
// TODO find a way that the prior node-ish way of `module.exports = function () {}` isn't broken
|
|
var CSR = exports.CSR = function (opts) {
|
|
// We're using a Promise here to be compatible with the browser version
|
|
// which will probably use the webcrypto API for some of the conversions
|
|
opts = CSR._prepare(opts);
|
|
|
|
return CSR.create(opts).then(function (bytes) {
|
|
return CSR._encode(opts, bytes);
|
|
});
|
|
};
|
|
|
|
CSR._prepare = function (opts) {
|
|
var Rasha;
|
|
opts = JSON.parse(JSON.stringify(opts));
|
|
var pem, jwk;
|
|
|
|
// We do a bit of extra error checking for user convenience
|
|
if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); }
|
|
if (!Array.isArray(opts.domains) || 0 === opts.domains.length) {
|
|
new Error("You must pass options.domains as a non-empty array");
|
|
}
|
|
|
|
// I need to check that 例.中国 is a valid domain name
|
|
if (!opts.domains.every(function (d) {
|
|
// allow punycode? xn--
|
|
if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) {
|
|
return true;
|
|
}
|
|
})) {
|
|
throw new Error("You must pass options.domains as strings");
|
|
}
|
|
|
|
if (opts.pem) {
|
|
pem = opts.pem;
|
|
} else if (opts.jwk) {
|
|
jwk = opts.jwk;
|
|
} else {
|
|
if (!opts.key) {
|
|
throw new Error("You must pass options.key as a JSON web key");
|
|
} else if (opts.key.kty) {
|
|
jwk = opts.key;
|
|
} else {
|
|
pem = opts.key;
|
|
}
|
|
}
|
|
|
|
if (pem) {
|
|
try {
|
|
Rasha = require('rasha');
|
|
} catch(e) {
|
|
throw new Error("Rasha.js is an optional dependency for PEM-to-JWK.\n"
|
|
+ "Install it if you'd like to use it:\n"
|
|
+ "\tnpm install --save rasha\n"
|
|
+ "Otherwise supply a jwk as the private key."
|
|
);
|
|
}
|
|
jwk = Rasha.importSync({ pem: pem });
|
|
}
|
|
|
|
opts.jwk = jwk;
|
|
return opts;
|
|
};
|
|
|
|
CSR._encode = function (opts, bytes) {
|
|
if ('der' === (opts.encoding||'').toLowerCase()) {
|
|
return bytes;
|
|
}
|
|
return PEM.packBlock({
|
|
type: "CERTIFICATE REQUEST"
|
|
, bytes: bytes /* { jwk: jwk, domains: opts.domains } */
|
|
});
|
|
};
|
|
|
|
CSR.create = function createCsr(opts) {
|
|
var hex = CSR.request(opts.jwk, opts.domains);
|
|
return CSR.sign(opts.jwk, hex).then(function (csr) {
|
|
return Enc.hexToBuf(csr);
|
|
});
|
|
};
|
|
|
|
//
|
|
// RSA
|
|
//
|
|
//
|
|
CSR.request = function createCsrBodyEc(jwk, domains) {
|
|
var asn1pub = X509.packCsrRsaPublicKey(jwk);
|
|
return X509.packCsrRsa(asn1pub, domains);
|
|
};
|
|
|
|
CSR.sign = function csrEcSig(jwk, request) {
|
|
// Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a
|
|
// TODO will have to convert web ECDSA signatures to PEM ECDSA signatures (but RSA should be the same)
|
|
// TODO have a consistent non-private way to sign
|
|
return Keypairs._sign({ jwk: jwk }, Enc.hexToBuf(request)).then(function (sig) {
|
|
return CSR.toDer({ request: request, signature: sig });
|
|
});
|
|
};
|
|
|
|
|
|
CSR.toDer = function encode(opts) {
|
|
var sty = ASN1('30'
|
|
// 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
|
|
, ASN1('06', '2a864886f70d01010b')
|
|
, ASN1('05')
|
|
);
|
|
return ASN1('30'
|
|
// The Full CSR Request Body
|
|
, opts.request
|
|
// The Signature Type
|
|
, sty
|
|
// The Signature
|
|
, ASN1.BitStr(Enc.bufToHex(opts.signature))
|
|
);
|
|
};
|
|
|
|
X509.packCsrRsa = function (asn1pubkey, domains) {
|
|
return ASN1('30'
|
|
// Version (0)
|
|
, ASN1.UInt('00')
|
|
|
|
// 2.5.4.3 commonName (X.520 DN component)
|
|
, ASN1('30', ASN1('31', ASN1('30', ASN1('06', '550403'), ASN1('0c', Enc.utf8ToHex(domains[0])))))
|
|
|
|
// Public Key (RSA or EC)
|
|
, asn1pubkey
|
|
|
|
// Request Body
|
|
, ASN1('a0'
|
|
, ASN1('30'
|
|
// 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
|
|
, ASN1('06', '2a864886f70d01090e')
|
|
, ASN1('31'
|
|
, ASN1('30'
|
|
, ASN1('30'
|
|
// 2.5.29.17 subjectAltName (X.509 extension)
|
|
, ASN1('06', '551d11')
|
|
, ASN1('04'
|
|
, ASN1('30', domains.map(function (d) {
|
|
return ASN1('82', Enc.utf8ToHex(d));
|
|
}).join(''))))))))
|
|
);
|
|
};
|
|
|
|
X509.packPkcs1 = function (jwk) {
|
|
var n = ASN1.UInt(Enc.base64ToHex(jwk.n));
|
|
var e = ASN1.UInt(Enc.base64ToHex(jwk.e));
|
|
|
|
if (!jwk.d) {
|
|
return Enc.hexToBuf(ASN1('30', n, e));
|
|
}
|
|
|
|
return Enc.hexToBuf(ASN1('30'
|
|
, ASN1.UInt('00')
|
|
, n
|
|
, e
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.d))
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.p))
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.q))
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.dp))
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.dq))
|
|
, ASN1.UInt(Enc.base64ToHex(jwk.qi))
|
|
));
|
|
};
|
|
|
|
X509.packCsrRsaPublicKey = function (jwk) {
|
|
// Sequence the key
|
|
var n = ASN1.UInt(Enc.base64ToHex(jwk.n));
|
|
var e = ASN1.UInt(Enc.base64ToHex(jwk.e));
|
|
var asn1pub = ASN1('30', n, e);
|
|
//var asn1pub = X509.packPkcs1({ kty: jwk.kty, n: jwk.n, e: jwk.e });
|
|
|
|
// Add the CSR pub key header
|
|
return ASN1('30', ASN1('30', ASN1('06', '2a864886f70d010101'), ASN1('05')), ASN1.BitStr(asn1pub));
|
|
};
|
|
|
|
}('undefined' === typeof window ? module.exports : window));
|