lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-24 04:17:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

🔱: [acme] sync upgrade with 5 commits [trident-sync]

Browse Source 
Update IETF links
Fix misc typos
Forgot SAN extension for self-signed ALPN certs
Replace jsrsasign dep with @peculiar/x509
This commit is contained in:
GitHub Actions Bot
2024-02-03 19:24:11 +00:00
parent a6bf198604
commit 80cd1bfc8e
13 changed files with 307 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/acme-client/src/api.js
+13 -13
View File
@@ -41,7 +41,7 @@ class AcmeApi {
* @private
* @param {string} url Request URL
* @param {object} [payload] Request payload, default: `null`
* @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {object} [opts]
* @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
* @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -66,7 +66,7 @@ class AcmeApi {
* @private
* @param {string} resource Request resource name
* @param {object} [payload] Request payload, default: `null`
* @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {object} [opts]
* @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
* @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -82,7 +82,7 @@ class AcmeApi {
/**
* Get Terms of Service URL if available
*
* https://tools.ietf.org/html/rfc8555#section-7.1.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
*
* @returns {Promise<string|null>} ToS URL
*/
@@ -95,7 +95,7 @@ class AcmeApi {
/**
* Create new account
*
* https://tools.ietf.org/html/rfc8555#section-7.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -119,7 +119,7 @@ class AcmeApi {
/**
* Update account
*
* https://tools.ietf.org/html/rfc8555#section-7.3.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -133,7 +133,7 @@ class AcmeApi {
/**
* Update account key
*
* https://tools.ietf.org/html/rfc8555#section-7.3.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -147,7 +147,7 @@ class AcmeApi {
/**
* Create new order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -161,7 +161,7 @@ class AcmeApi {
/**
* Get order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {string} url Order URL
* @returns {Promise<object>} HTTP response
@@ -175,7 +175,7 @@ class AcmeApi {
/**
* Finalize order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {string} url Finalization URL
* @param {object} data Request payload
@@ -190,7 +190,7 @@ class AcmeApi {
/**
* Get identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
*
* @param {string} url Authorization URL
* @returns {Promise<object>} HTTP response
@@ -204,7 +204,7 @@ class AcmeApi {
/**
* Update identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
*
* @param {string} url Authorization URL
* @param {object} data Request payload
@@ -219,7 +219,7 @@ class AcmeApi {
/**
* Complete challenge
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {string} url Challenge URL
* @param {object} data Request payload
@@ -234,7 +234,7 @@ class AcmeApi {
/**
* Revoke certificate
*
* https://tools.ietf.org/html/rfc8555#section-7.6
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
packages/core/acme-client/src/client.js
+17 -17
View File
@@ -154,7 +154,7 @@ class AcmeClient {
/**
* Create a new account
*
* https://tools.ietf.org/html/rfc8555#section-7.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
*
* @param {object} [data] Request data
* @returns {Promise<object>} Account
@@ -200,7 +200,7 @@ class AcmeClient {
/**
* Update existing account
*
* https://tools.ietf.org/html/rfc8555#section-7.3.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
*
* @param {object} [data] Request data
* @returns {Promise<object>} Account
@@ -240,7 +240,7 @@ class AcmeClient {
/**
* Update account private key
*
* https://tools.ietf.org/html/rfc8555#section-7.3.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
*
* @param {buffer|string} newAccountKey New PEM encoded private key
* @param {object} [data] Additional request data
@@ -286,7 +286,7 @@ class AcmeClient {
/**
* Create a new order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} data Request data
* @returns {Promise<object>} Order
@@ -318,7 +318,7 @@ class AcmeClient {
/**
* Refresh order object from CA
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} order Order object
* @returns {Promise<object>} Order
@@ -345,7 +345,7 @@ class AcmeClient {
/**
* Finalize order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} order Order object
* @param {buffer|string} csr PEM encoded Certificate Signing Request
@@ -380,7 +380,7 @@ class AcmeClient {
/**
* Get identifier authorizations from order
*
* https://tools.ietf.org/html/rfc8555#section-7.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
*
* @param {object} order Order
* @returns {Promise<object[]>} Authorizations
@@ -410,7 +410,7 @@ class AcmeClient {
/**
* Deactivate identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
*
* @param {object} authz Identifier authorization
* @returns {Promise<object>} Authorization
@@ -442,7 +442,7 @@ class AcmeClient {
/**
* Get key authorization for ACME challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.1
*
* @param {object} challenge Challenge object returned by API
* @returns {Promise<string>} Key authorization
@@ -462,17 +462,17 @@ class AcmeClient {
const thumbprint = keysum.digest('base64url');
const result = `${challenge.token}.${thumbprint}`;
/* https://tools.ietf.org/html/rfc8555#section-8.3 */
/* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3 */
if (challenge.type === 'http-01') {
return result;
}
/* https://tools.ietf.org/html/rfc8555#section-8.4 */
/* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4 */
if (challenge.type === 'dns-01') {
return createHash('sha256').update(result).digest('base64url');
}
/* https://tools.ietf.org/html/rfc8737 */
/* https://datatracker.ietf.org/doc/html/rfc8737 */
if (challenge.type === 'tls-alpn-01') {
return result;
}
@@ -519,7 +519,7 @@ class AcmeClient {
/**
* Notify CA that challenge has been completed
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {object} challenge Challenge object returned by API
* @returns {Promise<object>} Challenge
@@ -540,7 +540,7 @@ class AcmeClient {
/**
* Wait for ACME provider to verify status on a order, authorization or challenge
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {object} item An order, authorization or challenge object
* @returns {Promise<object>} Valid order, authorization or challenge
@@ -551,7 +551,7 @@ class AcmeClient {
* await client.waitForValidStatus(challenge);
* ```
*
* @example Wait for valid authoriation status
* @example Wait for valid authorization status
* ```js
* const authz = { ... };
* await client.waitForValidStatus(authz);
@@ -597,7 +597,7 @@ class AcmeClient {
/**
* Get certificate from ACME order
*
* https://tools.ietf.org/html/rfc8555#section-7.4.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
*
* @param {object} order Order object
* @param {string} [preferredChain] Indicate which certificate chain is preferred if a CA offers multiple, by exact issuer common name, default: `null`
@@ -644,7 +644,7 @@ class AcmeClient {
/**
* Revoke certificate
*
* https://tools.ietf.org/html/rfc8555#section-7.6
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
*
* @param {buffer|string} cert PEM encoded certificate
* @param {object} [data] Additional request data
packages/core/acme-client/src/crypto/forge.js
+2 -2
View File
@@ -281,7 +281,7 @@ exports.readCertificateInfo = async function(cert) {
/**
* Determine ASN.1 type for CSR subject short name
* Note: https://tools.ietf.org/html/rfc5280
* Note: https://datatracker.ietf.org/doc/html/rfc5280
*
* @private
* @param {string} shortName CSR subject short name
@@ -343,7 +343,7 @@ function formatCsrAltNames(altNames) {
* @param {object} data
* @param {number} [data.keySize] Size of newly created private key, default: `2048`
* @param {string} [data.commonName]
* @param {array} [data.altNames] default: `[]`
* @param {string[]} [data.altNames] default: `[]`
* @param {string} [data.country]
* @param {string} [data.state]
* @param {string} [data.locality]
packages/core/acme-client/src/crypto/index.js
+168 -177
View File
@@ -7,12 +7,19 @@
const net = require('net');
const { promisify } = require('util');
const crypto = require('crypto');
const jsrsasign = require('jsrsasign');
const asn1js = require('asn1js');
const x509 = require('@peculiar/x509');
const randomInt = promisify(crypto.randomInt);
const generateKeyPair = promisify(crypto.generateKeyPair);
/* https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
/* Use Node.js Web Crypto API */
x509.cryptoProvider.set(crypto.webcrypto);
/* id-ce-subjectAltName - https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
const subjectAltNameOID = '2.5.29.17';
/* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
@@ -28,17 +35,14 @@ function getKeyInfo(keyPem) {
const result = {
isRSA: false,
isECDSA: false,
signatureAlgorithm: null,
publicKey: crypto.createPublicKey(keyPem)
};
if (result.publicKey.asymmetricKeyType === 'rsa') {
result.isRSA = true;
result.signatureAlgorithm = 'SHA256withRSA';
}
else if (result.publicKey.asymmetricKeyType === 'ec') {
result.isECDSA = true;
result.signatureAlgorithm = 'SHA256withECDSA';
}
else {
throw new Error('Unable to parse key information, unknown format');
@@ -173,24 +177,42 @@ exports.getJwk = getJwk;
/**
* Fix missing support for NIST curve names in jsrsasign
* Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
*
* @private
* @param {string} crv NIST curve name
* @returns {string} SECG curve name
* @param {buffer|string} keyPem PEM encoded private key
* @returns {Promise<array>} [keyPair, signingAlgorithm]
*/
function convertNistCurveNameToSecg(nistName) {
switch (nistName) {
case 'P-256':
return 'secp256r1';
case 'P-384':
return 'secp384r1';
case 'P-521':
return 'secp521r1';
default:
return nistName;
async function getWebCryptoKeyPair(keyPem) {
const info = getKeyInfo(keyPem);
const jwk = getJwk(keyPem);
/* Signing algorithm */
const sigalg = {
name: 'RSASSA-PKCS1-v1_5',
hash: { name: 'SHA-256' }
};
if (info.isECDSA) {
sigalg.name = 'ECDSA';
sigalg.namedCurve = jwk.crv;
if (jwk.crv === 'P-384') {
sigalg.hash.name = 'SHA-384';
}
if (jwk.crv === 'P-521') {
sigalg.hash.name = 'SHA-512';
}
}
/* Decode PEM and import into CryptoKeyPair */
const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
return [{ privateKey, publicKey }, sigalg];
}
@@ -198,7 +220,7 @@ function convertNistCurveNameToSecg(nistName) {
* Split chain of PEM encoded objects from string into array
*
* @param {buffer|string} chainPem PEM encoded object chain
* @returns {array} Array of PEM objects including headers
* @returns {string[]} Array of PEM objects including headers
*/
function splitPemChain(chainPem) {
@@ -206,15 +228,9 @@ function splitPemChain(chainPem) {
chainPem = chainPem.toString();
}
return chainPem
/* Split chain into chunks, starting at every header */
.split(/\s*(?=-----BEGIN [A-Z0-9- ]+-----\r?\n?)/g)
/* Match header, PEM body and footer */
.map((pem) => pem.match(/\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\S\s]+)\r?\n?-----END \1-----/))
/* Filter out non-matches or empty bodies */
.filter((pem) => pem && pem[2] && pem[2].replace(/[\r\n]+/g, '').trim())
/* Decode to hex, and back to PEM for formatting etc */
.map(([pem, header]) => jsrsasign.hextopem(jsrsasign.pemtohex(pem, header), header));
/* Decode into array and re-encode */
return x509.PemConverter.decodeWithHeaders(chainPem)
.map((params) => x509.PemConverter.encode([params]));
}
exports.splitPemChain = splitPemChain;
@@ -235,43 +251,28 @@ exports.getPemBodyAsB64u = (pem) => {
throw new Error('Unable to parse PEM body from string');
}
/* Select first object, decode to hex and b64u */
return jsrsasign.hextob64u(jsrsasign.pemtohex(chain[0]));
/* Select first object, extract body and convert to b64u */
const dec = x509.PemConverter.decodeFirst(chain[0]);
return Buffer.from(dec).toString('base64url');
};
/**
* Parse common name from a subject object
*
* @private
* @param {object} subj Subject returned from jsrsasign
* @returns {string} Common name value
*/
function parseCommonName(subj) {
const subjectArr = (subj && subj.array) ? subj.array : [];
const cnArr = subjectArr.find((s) => (s[0] && s[0].type && s[0].value && (s[0].type === 'CN')));
return (cnArr && cnArr.length && cnArr[0].value) ? cnArr[0].value : null;
}
/**
* Parse domains from a certificate or CSR
*
* @private
* @param {object} params Certificate or CSR params returned from jsrsasign
* @param {object} input x509.Certificate or x509.Pkcs10CertificateRequest
* @returns {object} {commonName, altNames}
*/
function parseDomains(params) {
const commonName = parseCommonName(params.subject);
const extensionArr = (params.ext || params.extreq || []);
function parseDomains(input) {
const commonName = input.subjectName.getField('CN').pop() || null;
const altNamesRaw = input.getExtension(subjectAltNameOID);
let altNames = [];
if (extensionArr && extensionArr.length) {
const altNameExt = extensionArr.find((e) => (e.extname && (e.extname === 'subjectAltName')));
const altNameArr = (altNameExt && altNameExt.array && altNameExt.array.length) ? altNameExt.array : [];
altNames = altNameArr.map((a) => Object.values(a)[0] || null).filter((a) => a);
if (altNamesRaw) {
const altNamesExt = new x509.SubjectAlternativeNameExtension(altNamesRaw.rawData);
altNames = altNames.concat(altNamesExt.names.items.map((i) => i.value));
}
return {
@@ -301,34 +302,12 @@ exports.readCsrDomains = (csrPem) => {
csrPem = csrPem.toString();
}
/* Parse CSR */
const params = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csrPem);
return parseDomains(params);
const dec = x509.PemConverter.decodeFirst(csrPem);
const csr = new x509.Pkcs10CertificateRequest(dec);
return parseDomains(csr);
};
/**
* Parse params from a single or chain of PEM encoded certificates
*
* @private
* @param {buffer|string} certPem PEM encoded certificate or chain
* @returns {object} Certificate params
*/
function getCertificateParams(certPem) {
const chain = splitPemChain(certPem);
if (!chain.length) {
throw new Error('Unable to parse PEM body from string');
}
/* Parse certificate */
const obj = new jsrsasign.X509();
obj.readCertPEM(chain[0]);
return obj.getParam();
}
/**
* Read information from a certificate
* If multiple certificates are chained, the first will be read
@@ -350,39 +329,43 @@ function getCertificateParams(certPem) {
*/
exports.readCertificateInfo = (certPem) => {
const params = getCertificateParams(certPem);
if (Buffer.isBuffer(certPem)) {
certPem = certPem.toString();
}
const dec = x509.PemConverter.decodeFirst(certPem);
const cert = new x509.X509Certificate(dec);
return {
issuer: {
commonName: parseCommonName(params.issuer)
commonName: cert.issuerName.getField('CN').pop() || null
},
domains: parseDomains(params),
notBefore: jsrsasign.zulutodate(params.notbefore),
notAfter: jsrsasign.zulutodate(params.notafter)
domains: parseDomains(cert),
notBefore: cert.notBefore,
notAfter: cert.notAfter
};
};
/**
* Determine ASN.1 character string type for CSR subject field
* Determine ASN.1 character string type for CSR subject field name
*
* https://tools.ietf.org/html/rfc5280
* https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/x509-1.1.js#L2404-L2412
* https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/asn1x509-1.0.js#L3526-L3535
* https://datatracker.ietf.org/doc/html/rfc5280
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
*
* @private
* @param {string} field CSR subject field
* @returns {string} ASN.1 jsrsasign character string type
* @param {string} field CSR subject field name
* @returns {string} ASN.1 character string type
*/
function getCsrAsn1CharStringType(field) {
switch (field) {
case 'C':
return 'prn';
return 'printableString';
case 'E':
return 'ia5';
return 'ia5String';
default:
return 'utf8';
return 'utf8String';
}
}
@@ -390,6 +373,8 @@ function getCsrAsn1CharStringType(field) {
/**
* Create array of subject fields for a Certificate Signing Request
*
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
*
* @private
* @param {object} input Key-value of subject fields
* @returns {object[]} Certificate Signing Request subject array
@@ -399,7 +384,7 @@ function createCsrSubject(input) {
return Object.entries(input).reduce((result, [type, value]) => {
if (value) {
const ds = getCsrAsn1CharStringType(type);
result.push([{ type, value, ds }]);
result.push({ [type]: [{ [ds]: value }] });
}
return result;
@@ -408,20 +393,20 @@ function createCsrSubject(input) {
/**
* Create array of alt names for Certificate Signing Requests
* Create x509 subject alternate name extension
*
* https://github.com/kjur/jsrsasign/blob/3edc0070846922daea98d9588978e91d855577ec/src/x509-1.1.js#L1355-L1410
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/extensions/subject_alt_name.ts
*
* @private
* @param {string[]} altNames Array of alt names
* @returns {object[]} Certificate Signing Request alt names array
* @returns {x509.SubjectAlternativeNameExtension} Subject alternate name extension
*/
function formatCsrAltNames(altNames) {
return altNames.map((value) => {
const key = net.isIP(value) ? 'ip' : 'dns';
return { [key]: value };
});
function createSubjectAltNameExtension(altNames) {
return new x509.SubjectAlternativeNameExtension(altNames.map((value) => {
const type = net.isIP(value) ? 'ip' : 'dns';
return { type, value };
}));
}
@@ -431,14 +416,14 @@ function formatCsrAltNames(altNames) {
* @param {object} data
* @param {number} [data.keySize] Size of newly created RSA private key modulus in bits, default: `2048`
* @param {string} [data.commonName] FQDN of your server
* @param {array} [data.altNames] SAN (Subject Alternative Names), default: `[]`
* @param {string[]} [data.altNames] SAN (Subject Alternative Names), default: `[]`
* @param {string} [data.country] 2 letter country code
* @param {string} [data.state] State or province
* @param {string} [data.locality] City
* @param {string} [data.organization] Organization name
* @param {string} [data.organizationUnit] Organizational unit name
* @param {string} [data.emailAddress] Email address
* @param {string} [keyPem] PEM encoded CSR private key
* @param {buffer|string} [keyPem] PEM encoded CSR private key
* @returns {Promise<buffer[]>} [privateKey, certificateSigningRequest]
*
* @example Create a Certificate Signing Request
@@ -479,7 +464,7 @@ function formatCsrAltNames(altNames) {
* }, certificateKey);
*/
async function createCsr(data, keyPem = null) {
exports.createCsr = async (data, keyPem = null) => {
if (!keyPem) {
keyPem = await createPrivateRsaKey(data.keySize);
}
@@ -491,65 +476,52 @@ async function createCsr(data, keyPem = null) {
data.altNames = [];
}
/* Get key info and JWK */
const info = getKeyInfo(keyPem);
const jwk = getJwk(keyPem);
const extensionRequests = [];
/* Missing support for NIST curve names in jsrsasign - https://github.com/kjur/jsrsasign/blob/master/src/asn1x509-1.0.js#L4388-L4393 */
if (jwk.crv && (jwk.kty === 'EC')) {
jwk.crv = convertNistCurveNameToSecg(jwk.crv);
}
/* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
if (data.commonName && !data.altNames.includes(data.commonName)) {
data.altNames.unshift(data.commonName);
}
/* Subject */
const subject = createCsrSubject({
CN: data.commonName,
C: data.country,
ST: data.state,
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
});
/* CryptoKeyPair and signing algorithm from private key */
const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
/* SAN extension */
if (data.altNames.length) {
extensionRequests.push({
extname: 'subjectAltName',
array: formatCsrAltNames(data.altNames)
});
}
const extensions = [
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension(data.altNames)
];
/* Create CSR */
const csr = new jsrsasign.KJUR.asn1.csr.CertificationRequest({
subject: { array: subject },
sigalg: info.signatureAlgorithm,
sbjprvkey: keyPem.toString(),
sbjpubkey: jwk,
extreq: extensionRequests
const csr = await x509.Pkcs10CertificateRequestGenerator.create({
keys,
extensions,
signingAlgorithm,
name: createCsrSubject({
CN: data.commonName,
C: data.country,
ST: data.state,
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
})
});
/* Done */
const pem = csr.getPEM();
const pem = csr.toString('pem');
return [keyPem, Buffer.from(pem)];
}
exports.createCsr = createCsr;
};
/**
* Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
*
* https://tools.ietf.org/html/rfc8737
* https://datatracker.ietf.org/doc/html/rfc8737
*
* @param {object} authz Identifier authorization
* @param {string} keyAuthorization Challenge key authorization
* @param {string} [keyPem] PEM encoded CSR private key
* @param {buffer|string} [keyPem] PEM encoded CSR private key
* @returns {Promise<buffer[]>} [privateKey, certificate]
*
* @example Create a ALPN certificate
@@ -564,45 +536,58 @@ exports.createCsr = createCsr;
*/
exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
/* Create CSR first */
if (!keyPem) {
keyPem = await createPrivateRsaKey();
}
else if (!Buffer.isBuffer(keyPem)) {
keyPem = Buffer.from(keyPem);
}
const now = new Date();
const commonName = authz.identifier.value;
const [key, csr] = await createCsr({ commonName }, keyPem);
/* Parse params and grab stuff we need */
const params = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csr.toString());
const { subject, sbjpubkey, extreq, sigalg } = params;
/* ALPN extension */
const alpnExt = {
critical: true,
extname: alpnAcmeIdentifierOID,
extn: new jsrsasign.KJUR.asn1.DEROctetString({
hex: crypto.createHash('sha256').update(keyAuthorization).digest('hex')
})
};
/* Pseudo-random serial - max 20 bytes, 11 for epoch (year 5138), 9 random */
const random = await randomInt(1, 999999999);
const serial = `${Math.floor(now.getTime() / 1000)}${random}`;
const serialNumber = `${Math.floor(now.getTime() / 1000)}${random}`;
/* CryptoKeyPair and signing algorithm from private key */
const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
const extensions = [
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), // eslint-disable-line no-bitwise
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 */
new x509.BasicConstraintsExtension(true, 2, true),
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 */
await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension([commonName])
];
/* ALPN extension */
const payload = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
const octstr = new asn1js.OctetString({ valueHex: Buffer.from(payload, 'hex') });
extensions.push(new x509.Extension(alpnAcmeIdentifierOID, true, octstr.toBER()));
/* Self-signed ALPN certificate */
const certificate = new jsrsasign.KJUR.asn1.x509.Certificate({
subject,
sbjpubkey,
sigalg,
version: 3,
serial: { hex: Buffer.from(serial).toString('hex') },
issuer: subject,
notbefore: jsrsasign.datetozulu(now),
notafter: jsrsasign.datetozulu(now),
cakey: key.toString(),
ext: extreq.concat([alpnExt])
const cert = await x509.X509CertificateGenerator.createSelfSigned({
keys,
signingAlgorithm,
extensions,
serialNumber,
notBefore: now,
notAfter: now,
name: createCsrSubject({
CN: commonName
})
});
/* Done */
const pem = certificate.getPEM();
return [key, Buffer.from(pem)];
const pem = cert.toString('pem');
return [keyPem, Buffer.from(pem)];
};
@@ -615,14 +600,20 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
*/
exports.isAlpnCertificateAuthorizationValid = (certPem, keyAuthorization) => {
const params = getCertificateParams(certPem);
const expectedHex = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
const acmeExt = (params.ext || []).find((e) => (e && e.extname && (e.extname === alpnAcmeIdentifierOID)));
const expected = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
if (!acmeExt || !acmeExt.extn || !acmeExt.extn.octstr || !acmeExt.extn.octstr.hex) {
/* Attempt to locate ALPN extension */
const cert = new x509.X509Certificate(certPem);
const ext = cert.getExtension(alpnAcmeIdentifierOID);
if (!ext) {
throw new Error('Unable to locate ALPN extension within parsed certificate');
}
/* Decode extension value */
const parsed = asn1js.fromBER(ext.value);
const result = Buffer.from(parsed.result.valueBlock.valueHexView).toString('hex');
/* Return true if match */
return (acmeExt.extn.octstr.hex === expectedHex);
return (result === expected);
};
packages/core/acme-client/src/http.js
+4 -4
View File
@@ -64,7 +64,7 @@ class HttpClient {
/**
* Ensure provider directory exists
*
* https://tools.ietf.org/html/rfc8555#section-7.1.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
*
* @returns {Promise}
*/
@@ -104,7 +104,7 @@ class HttpClient {
/**
* Get nonce from directory API endpoint
*
* https://tools.ietf.org/html/rfc8555#section-7.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
*
* @returns {Promise<string>} nonce
*/
@@ -267,7 +267,7 @@ class HttpClient {
/**
* Signed HTTP request
*
* https://tools.ietf.org/html/rfc8555#section-6.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-6.2
*
* @param {string} url Request URL
* @param {object} payload Request payload
@@ -299,7 +299,7 @@ class HttpClient {
const data = this.createSignedBody(url, payload, { nonce, kid });
const resp = await this.request(url, 'post', { data });
/* Retry on bad nonce - https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.4 */
/* Retry on bad nonce - https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-6.4 */
if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
nonce = resp.headers['replay-nonce'] || null;
attempts += 1;
packages/core/acme-client/src/util.js
+2 -2
View File
@@ -93,7 +93,7 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
*
* @param {string} header Link header contents
* @param {string} rel Link relation, default: `alternate`
* @returns {array} Array of URLs
* @returns {string[]} Array of URLs
*/
function parseLinkHeader(header, rel = 'alternate') {
@@ -113,7 +113,7 @@ function parseLinkHeader(header, rel = 'alternate') {
* - If issuer is found in multiple chains, the closest to root wins
* - If issuer can not be located, the first chain will be returned
*
* @param {array} certificates Array of PEM encoded certificate chains
* @param {string[]} certificates Array of PEM encoded certificate chains
* @param {string} issuer Preferred certificate issuer
* @returns {string} PEM encoded certificate chain
*/
packages/core/acme-client/src/verify.js
+3 -3
View File
@@ -13,7 +13,7 @@ const { isAlpnCertificateAuthorizationValid } = require('./crypto');
/**
* Verify ACME HTTP challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge
@@ -85,7 +85,7 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
/**
* Verify ACME DNS challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge
@@ -125,7 +125,7 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
/**
* Verify ACME TLS ALPN challenge
*
* https://tools.ietf.org/html/rfc8737
* https://datatracker.ietf.org/doc/html/rfc8737
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge