--- /dev/null
+// Copyright 2016 Joyent, Inc.
+
+module.exports = Certificate;
+
+var assert = require('assert-plus');
+var algs = require('./algs');
+var crypto = require('crypto');
+var Fingerprint = require('./fingerprint');
+var Signature = require('./signature');
+var errs = require('./errors');
+var util = require('util');
+var utils = require('./utils');
+var Key = require('./key');
+var PrivateKey = require('./private-key');
+var Identity = require('./identity');
+
+var formats = {};
+formats['openssh'] = require('./formats/openssh-cert');
+formats['x509'] = require('./formats/x509');
+formats['pem'] = require('./formats/x509-pem');
+
+var CertificateParseError = errs.CertificateParseError;
+var InvalidAlgorithmError = errs.InvalidAlgorithmError;
+
+function Certificate(opts) {
+ assert.object(opts, 'options');
+ assert.arrayOfObject(opts.subjects, 'options.subjects');
+ utils.assertCompatible(opts.subjects[0], Identity, [1, 0],
+ 'options.subjects');
+ utils.assertCompatible(opts.subjectKey, Key, [1, 0],
+ 'options.subjectKey');
+ utils.assertCompatible(opts.issuer, Identity, [1, 0], 'options.issuer');
+ if (opts.issuerKey !== undefined) {
+ utils.assertCompatible(opts.issuerKey, Key, [1, 0],
+ 'options.issuerKey');
+ }
+ assert.object(opts.signatures, 'options.signatures');
+ assert.buffer(opts.serial, 'options.serial');
+ assert.date(opts.validFrom, 'options.validFrom');
+ assert.date(opts.validUntil, 'optons.validUntil');
+
+ this._hashCache = {};
+
+ this.subjects = opts.subjects;
+ this.issuer = opts.issuer;
+ this.subjectKey = opts.subjectKey;
+ this.issuerKey = opts.issuerKey;
+ this.signatures = opts.signatures;
+ this.serial = opts.serial;
+ this.validFrom = opts.validFrom;
+ this.validUntil = opts.validUntil;
+}
+
+Certificate.formats = formats;
+
+Certificate.prototype.toBuffer = function (format, options) {
+ if (format === undefined)
+ format = 'x509';
+ assert.string(format, 'format');
+ assert.object(formats[format], 'formats[format]');
+ assert.optionalObject(options, 'options');
+
+ return (formats[format].write(this, options));
+};
+
+Certificate.prototype.toString = function (format, options) {
+ if (format === undefined)
+ format = 'pem';
+ return (this.toBuffer(format, options).toString());
+};
+
+Certificate.prototype.fingerprint = function (algo) {
+ if (algo === undefined)
+ algo = 'sha256';
+ assert.string(algo, 'algorithm');
+ var opts = {
+ type: 'certificate',
+ hash: this.hash(algo),
+ algorithm: algo
+ };
+ return (new Fingerprint(opts));
+};
+
+Certificate.prototype.hash = function (algo) {
+ assert.string(algo, 'algorithm');
+ algo = algo.toLowerCase();
+ if (algs.hashAlgs[algo] === undefined)
+ throw (new InvalidAlgorithmError(algo));
+
+ if (this._hashCache[algo])
+ return (this._hashCache[algo]);
+
+ var hash = crypto.createHash(algo).
+ update(this.toBuffer('x509')).digest();
+ this._hashCache[algo] = hash;
+ return (hash);
+};
+
+Certificate.prototype.isExpired = function (when) {
+ if (when === undefined)
+ when = new Date();
+ return (!((when.getTime() >= this.validFrom.getTime()) &&
+ (when.getTime() < this.validUntil.getTime())));
+};
+
+Certificate.prototype.isSignedBy = function (issuerCert) {
+ utils.assertCompatible(issuerCert, Certificate, [1, 0], 'issuer');
+
+ if (!this.issuer.equals(issuerCert.subjects[0]))
+ return (false);
+
+ return (this.isSignedByKey(issuerCert.subjectKey));
+};
+
+Certificate.prototype.isSignedByKey = function (issuerKey) {
+ utils.assertCompatible(issuerKey, Key, [1, 2], 'issuerKey');
+
+ if (this.issuerKey !== undefined) {
+ return (this.issuerKey.
+ fingerprint('sha512').matches(issuerKey));
+ }
+
+ var fmt = Object.keys(this.signatures)[0];
+ var valid = formats[fmt].verify(this, issuerKey);
+ if (valid)
+ this.issuerKey = issuerKey;
+ return (valid);
+};
+
+Certificate.prototype.signWith = function (key) {
+ utils.assertCompatible(key, PrivateKey, [1, 2], 'key');
+ var fmts = Object.keys(formats);
+ var didOne = false;
+ for (var i = 0; i < fmts.length; ++i) {
+ if (fmts[i] !== 'pem') {
+ var ret = formats[fmts[i]].sign(this, key);
+ if (ret === true)
+ didOne = true;
+ }
+ }
+ if (!didOne) {
+ throw (new Error('Failed to sign the certificate for any ' +
+ 'available certificate formats'));
+ }
+};
+
+Certificate.createSelfSigned = function (subjectOrSubjects, key, options) {
+ var subjects;
+ if (Array.isArray(subjectOrSubjects))
+ subjects = subjectOrSubjects;
+ else
+ subjects = [subjectOrSubjects];
+
+ assert.arrayOfObject(subjects);
+ subjects.forEach(function (subject) {
+ utils.assertCompatible(subject, Identity, [1, 0], 'subject');
+ });
+
+ utils.assertCompatible(key, PrivateKey, [1, 2], 'private key');
+
+ assert.optionalObject(options, 'options');
+ if (options === undefined)
+ options = {};
+ assert.optionalObject(options.validFrom, 'options.validFrom');
+ assert.optionalObject(options.validUntil, 'options.validUntil');
+ var validFrom = options.validFrom;
+ var validUntil = options.validUntil;
+ if (validFrom === undefined)
+ validFrom = new Date();
+ if (validUntil === undefined) {
+ assert.optionalNumber(options.lifetime, 'options.lifetime');
+ var lifetime = options.lifetime;
+ if (lifetime === undefined)
+ lifetime = 10*365*24*3600;
+ validUntil = new Date();
+ validUntil.setTime(validUntil.getTime() + lifetime*1000);
+ }
+ assert.optionalBuffer(options.serial, 'options.serial');
+ var serial = options.serial;
+ if (serial === undefined)
+ serial = new Buffer('0000000000000001', 'hex');
+
+ var cert = new Certificate({
+ subjects: subjects,
+ issuer: subjects[0],
+ subjectKey: key.toPublic(),
+ issuerKey: key.toPublic(),
+ signatures: {},
+ serial: serial,
+ validFrom: validFrom,
+ validUntil: validUntil
+ });
+ cert.signWith(key);
+
+ return (cert);
+};
+
+Certificate.create =
+ function (subjectOrSubjects, key, issuer, issuerKey, options) {
+ var subjects;
+ if (Array.isArray(subjectOrSubjects))
+ subjects = subjectOrSubjects;
+ else
+ subjects = [subjectOrSubjects];
+
+ assert.arrayOfObject(subjects);
+ subjects.forEach(function (subject) {
+ utils.assertCompatible(subject, Identity, [1, 0], 'subject');
+ });
+
+ utils.assertCompatible(key, Key, [1, 0], 'key');
+ if (PrivateKey.isPrivateKey(key))
+ key = key.toPublic();
+ utils.assertCompatible(issuer, Identity, [1, 0], 'issuer');
+ utils.assertCompatible(issuerKey, PrivateKey, [1, 2], 'issuer key');
+
+ assert.optionalObject(options, 'options');
+ if (options === undefined)
+ options = {};
+ assert.optionalObject(options.validFrom, 'options.validFrom');
+ assert.optionalObject(options.validUntil, 'options.validUntil');
+ var validFrom = options.validFrom;
+ var validUntil = options.validUntil;
+ if (validFrom === undefined)
+ validFrom = new Date();
+ if (validUntil === undefined) {
+ assert.optionalNumber(options.lifetime, 'options.lifetime');
+ var lifetime = options.lifetime;
+ if (lifetime === undefined)
+ lifetime = 10*365*24*3600;
+ validUntil = new Date();
+ validUntil.setTime(validUntil.getTime() + lifetime*1000);
+ }
+ assert.optionalBuffer(options.serial, 'options.serial');
+ var serial = options.serial;
+ if (serial === undefined)
+ serial = new Buffer('0000000000000001', 'hex');
+
+ var cert = new Certificate({
+ subjects: subjects,
+ issuer: issuer,
+ subjectKey: key,
+ issuerKey: issuerKey.toPublic(),
+ signatures: {},
+ serial: serial,
+ validFrom: validFrom,
+ validUntil: validUntil
+ });
+ cert.signWith(issuerKey);
+
+ return (cert);
+};
+
+Certificate.parse = function (data, format, options) {
+ if (typeof (data) !== 'string')
+ assert.buffer(data, 'data');
+ if (format === undefined)
+ format = 'auto';
+ assert.string(format, 'format');
+ if (typeof (options) === 'string')
+ options = { filename: options };
+ assert.optionalObject(options, 'options');
+ if (options === undefined)
+ options = {};
+ assert.optionalString(options.filename, 'options.filename');
+ if (options.filename === undefined)
+ options.filename = '(unnamed)';
+
+ assert.object(formats[format], 'formats[format]');
+
+ try {
+ var k = formats[format].read(data, options);
+ return (k);
+ } catch (e) {
+ throw (new CertificateParseError(options.filename, format, e));
+ }
+};
+
+Certificate.isCertificate = function (obj, ver) {
+ return (utils.isCompatible(obj, Certificate, ver));
+};
+
+/*
+ * API versions for Certificate:
+ * [1,0] -- initial ver
+ */
+Certificate.prototype._sshpkApiVersion = [1, 0];
+
+Certificate._oldVersionDetect = function (obj) {
+ return ([1, 0]);
+};
Code Review / simantics / district.git / blobdiff