// Copyright 2016 Joyent, Inc. module.exports = Certificate; var assert = require('assert-plus'); var Buffer = require('safer-buffer').Buffer; var algs = require('./algs'); var crypto = require('crypto'); var Fingerprint = require('./fingerprint'); var Signature = require('./signature'); var errs = require('./errors'); var util = require('util'); var utils = require('./utils'); var Key = require('./key'); var PrivateKey = require('./private-key'); var Identity = require('./identity'); var formats = {}; formats['openssh'] = require('./formats/openssh-cert'); formats['x509'] = require('./formats/x509'); formats['pem'] = require('./formats/x509-pem'); var CertificateParseError = errs.CertificateParseError; var InvalidAlgorithmError = errs.InvalidAlgorithmError; function Certificate(opts) { assert.object(opts, 'options'); assert.arrayOfObject(opts.subjects, 'options.subjects'); utils.assertCompatible(opts.subjects[0], Identity, [1, 0], 'options.subjects'); utils.assertCompatible(opts.subjectKey, Key, [1, 0], 'options.subjectKey'); utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer'); if (opts.issuerKey !== undefined) { utils.assertCompatible(opts.issuerKey, Key, [1, 0], 'options.issuerKey'); } assert.object(opts.signatures, 'options.signatures'); assert.buffer(opts.serial, 'options.serial'); assert.date(opts.validFrom, 'options.validFrom'); assert.date(opts.validUntil, 'optons.validUntil'); assert.optionalArrayOfString(opts.purposes, 'options.purposes'); this._hashCache = {}; this.subjects = opts.subjects; this.issuer = opts.issuer; this.subjectKey = opts.subjectKey; this.issuerKey = opts.issuerKey; this.signatures = opts.signatures; this.serial = opts.serial; this.validFrom = opts.validFrom; this.validUntil = opts.validUntil; this.purposes = opts.purposes; } Certificate.formats = formats; Certificate.prototype.toBuffer = function (format, options) { if (format === undefined) format = 'x509'; assert.string(format, 'format'); assert.object(formats[format], 'formats[format]'); assert.optionalObject(options, 'options'); return (formats[format].write(this, options)); }; Certificate.prototype.toString = function (format, options) { if (format === undefined) format = 'pem'; return (this.toBuffer(format, options).toString()); }; Certificate.prototype.fingerprint = function (algo) { if (algo === undefined) algo = 'sha256'; assert.string(algo, 'algorithm'); var opts = { type: 'certificate', hash: this.hash(algo), algorithm: algo }; return (new Fingerprint(opts)); }; Certificate.prototype.hash = function (algo) { assert.string(algo, 'algorithm'); algo = algo.toLowerCase(); if (algs.hashAlgs[algo] === undefined) throw (new InvalidAlgorithmError(algo)); if (this._hashCache[algo]) return (this._hashCache[algo]); var hash = crypto.createHash(algo). update(this.toBuffer('x509')).digest(); this._hashCache[algo] = hash; return (hash); }; Certificate.prototype.isExpired = function (when) { if (when === undefined) when = new Date(); return (!((when.getTime() >= this.validFrom.getTime()) && (when.getTime() < this.validUntil.getTime()))); }; Certificate.prototype.isSignedBy = function (issuerCert) { utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer'); if (!this.issuer.equals(issuerCert.subjects[0])) return (false); if (this.issuer.purposes && this.issuer.purposes.length > 0 && this.issuer.purposes.indexOf('ca') === -1) { return (false); } return (this.isSignedByKey(issuerCert.subjectKey)); }; Certificate.prototype.getExtension = function (keyOrOid) { assert.string(keyOrOid, 'keyOrOid'); var ext = this.getExtensions().filter(function (maybeExt) { if (maybeExt.format === 'x509') return (maybeExt.oid === keyOrOid); if (maybeExt.format === 'openssh') return (maybeExt.name === keyOrOid); return (false); })[0]; return (ext); }; Certificate.prototype.getExtensions = function () { var exts = []; var x509 = this.signatures.x509; if (x509 && x509.extras && x509.extras.exts) { x509.extras.exts.forEach(function (ext) { ext.format = 'x509'; exts.push(ext); }); } var openssh = this.signatures.openssh; if (openssh && openssh.exts) { openssh.exts.forEach(function (ext) { ext.format = 'openssh'; exts.push(ext); }); } return (exts); }; Certificate.prototype.isSignedByKey = function (issuerKey) { utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey'); if (this.issuerKey !== undefined) { return (this.issuerKey. fingerprint('sha512').matches(issuerKey)); } var fmt = Object.keys(this.signatures)[0]; var valid = formats[fmt].verify(this, issuerKey); if (valid) this.issuerKey = issuerKey; return (valid); }; Certificate.prototype.signWith = function (key) { utils.assertCompatible(key, PrivateKey, [1, 2], 'key'); var fmts = Object.keys(formats); var didOne = false; for (var i = 0; i < fmts.length; ++i) { if (fmts[i] !== 'pem') { var ret = formats[fmts[i]].sign(this, key); if (ret === true) didOne = true; } } if (!didOne) { throw (new Error('Failed to sign the certificate for any ' + 'available certificate formats')); } }; Certificate.createSelfSigned = function (subjectOrSubjects, key, options) { var subjects; if (Array.isArray(subjectOrSubjects)) subjects = subjectOrSubjects; else subjects = [subjectOrSubjects]; assert.arrayOfObject(subjects); subjects.forEach(function (subject) { utils.assertCompatible(subject, Identity, [1, 0], 'subject'); }); utils.assertCompatible(key, PrivateKey, [1, 2], 'private key'); assert.optionalObject(options, 'options'); if (options === undefined) options = {}; assert.optionalObject(options.validFrom, 'options.validFrom'); assert.optionalObject(options.validUntil, 'options.validUntil'); var validFrom = options.validFrom; var validUntil = options.validUntil; if (validFrom === undefined) validFrom = new Date(); if (validUntil === undefined) { assert.optionalNumber(options.lifetime, 'options.lifetime'); var lifetime = options.lifetime; if (lifetime === undefined) lifetime = 10*365*24*3600; validUntil = new Date(); validUntil.setTime(validUntil.getTime() + lifetime*1000); } assert.optionalBuffer(options.serial, 'options.serial'); var serial = options.serial; if (serial === undefined) serial = Buffer.from('0000000000000001', 'hex'); var purposes = options.purposes; if (purposes === undefined) purposes = []; if (purposes.indexOf('signature') === -1) purposes.push('signature'); /* Self-signed certs are always CAs. */ if (purposes.indexOf('ca') === -1) purposes.push('ca'); if (purposes.indexOf('crl') === -1) purposes.push('crl'); /* * If we weren't explicitly given any other purposes, do the sensible * thing and add some basic ones depending on the subject type. */ if (purposes.length <= 3) { var hostSubjects = subjects.filter(function (subject) { return (subject.type === 'host'); }); var userSubjects = subjects.filter(function (subject) { return (subject.type === 'user'); }); if (hostSubjects.length > 0) { if (purposes.indexOf('serverAuth') === -1) purposes.push('serverAuth'); } if (userSubjects.length > 0) { if (purposes.indexOf('clientAuth') === -1) purposes.push('clientAuth'); } if (userSubjects.length > 0 || hostSubjects.length > 0) { if (purposes.indexOf('keyAgreement') === -1) purposes.push('keyAgreement'); if (key.type === 'rsa' && purposes.indexOf('encryption') === -1) purposes.push('encryption'); } } var cert = new Certificate({ subjects: subjects, issuer: subjects[0], subjectKey: key.toPublic(), issuerKey: key.toPublic(), signatures: {}, serial: serial, validFrom: validFrom, validUntil: validUntil, purposes: purposes }); cert.signWith(key); return (cert); }; Certificate.create = function (subjectOrSubjects, key, issuer, issuerKey, options) { var subjects; if (Array.isArray(subjectOrSubjects)) subjects = subjectOrSubjects; else subjects = [subjectOrSubjects]; assert.arrayOfObject(subjects); subjects.forEach(function (subject) { utils.assertCompatible(subject, Identity, [1, 0], 'subject'); }); utils.assertCompatible(key, Key, [1, 0], 'key'); if (PrivateKey.isPrivateKey(key)) key = key.toPublic(); utils.assertCompatible(issuer, Identity, [1, 0], 'issuer'); utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key'); assert.optionalObject(options, 'options'); if (options === undefined) options = {}; assert.optionalObject(options.validFrom, 'options.validFrom'); assert.optionalObject(options.validUntil, 'options.validUntil'); var validFrom = options.validFrom; var validUntil = options.validUntil; if (validFrom === undefined) validFrom = new Date(); if (validUntil === undefined) { assert.optionalNumber(options.lifetime, 'options.lifetime'); var lifetime = options.lifetime; if (lifetime === undefined) lifetime = 10*365*24*3600; validUntil = new Date(); validUntil.setTime(validUntil.getTime() + lifetime*1000); } assert.optionalBuffer(options.serial, 'options.serial'); var serial = options.serial; if (serial === undefined) serial = Buffer.from('0000000000000001', 'hex'); var purposes = options.purposes; if (purposes === undefined) purposes = []; if (purposes.indexOf('signature') === -1) purposes.push('signature'); if (options.ca === true) { if (purposes.indexOf('ca') === -1) purposes.push('ca'); if (purposes.indexOf('crl') === -1) purposes.push('crl'); } var hostSubjects = subjects.filter(function (subject) { return (subject.type === 'host'); }); var userSubjects = subjects.filter(function (subject) { return (subject.type === 'user'); }); if (hostSubjects.length > 0) { if (purposes.indexOf('serverAuth') === -1) purposes.push('serverAuth'); } if (userSubjects.length > 0) { if (purposes.indexOf('clientAuth') === -1) purposes.push('clientAuth'); } if (userSubjects.length > 0 || hostSubjects.length > 0) { if (purposes.indexOf('keyAgreement') === -1) purposes.push('keyAgreement'); if (key.type === 'rsa' && purposes.indexOf('encryption') === -1) purposes.push('encryption'); } var cert = new Certificate({ subjects: subjects, issuer: issuer, subjectKey: key, issuerKey: issuerKey.toPublic(), signatures: {}, serial: serial, validFrom: validFrom, validUntil: validUntil, purposes: purposes }); cert.signWith(issuerKey); return (cert); }; Certificate.parse = function (data, format, options) { if (typeof (data) !== 'string') assert.buffer(data, 'data'); if (format === undefined) format = 'auto'; assert.string(format, 'format'); if (typeof (options) === 'string') options = { filename: options }; assert.optionalObject(options, 'options'); if (options === undefined) options = {}; assert.optionalString(options.filename, 'options.filename'); if (options.filename === undefined) options.filename = '(unnamed)'; assert.object(formats[format], 'formats[format]'); try { var k = formats[format].read(data, options); return (k); } catch (e) { throw (new CertificateParseError(options.filename, format, e)); } }; Certificate.isCertificate = function (obj, ver) { return (utils.isCompatible(obj, Certificate, ver)); }; /* * API versions for Certificate: * [1,0] -- initial ver * [1,1] -- openssh format now unpacks extensions */ Certificate.prototype._sshpkApiVersion = [1, 1]; Certificate._oldVersionDetect = function (obj) { return ([1, 0]); };