Closed Ottunger closed 2 years ago
I've just tested on node v16 to have a native implementation of crypto, and it seems to be the same, so problems should lie somewhere else than the provider.
import {webcrypto as crypto} from 'crypto';
setEngine('node', crypto, new CryptoEngine({name: 'node', crypto: crypto, subtle: crypto.subtle}));
Problem was with btoa
, closing!
@Ottunger Have you seen @peculiar/x509? It allows generating X509 certificate easier https://github.com/PeculiarVentures/x509#create-a-self-signed-certificate
@microshine I don't think https://github.com/PeculiarVentures/x509 can encode CRL distribution points can it?
Anyways, I'm still stuck with two problems using directly PKI.js;
Can you tell me if my code above is correct for these two?
Found a fix for both. Far reaching dates still seem to be a problem.
import * as asn1Schema from "@peculiar/asn1-schema";
import * as asn1X509 from "@peculiar/asn1-x509";
import { AsnConvert } from "@peculiar/asn1-schema";
import * as x509 from "@peculiar/x509";
const crlDistPtrExt = cert.getExtension(id_ce_cRLDistributionPoints);
if (crlDistPtrExt) {
const crlDistPtr = AsnConvert.parse(crlDistPtrExt.value, CRLDistributionPoints);
console.log(crlDistPtr);
}
const alg = {
name: "RSASSA-PKCS1-v1_5",
hash: "SHA-256",
publicExponent: new Uint8Array([1, 0, 1]),
modulusLength: 2048,
};
const keys = await crypto.subtle.generateKey(alg, false, ["sign", "verify"]);
const crlDistPtr = new asn1X509.CRLDistributionPoints([
new asn1X509.DistributionPoint({
distributionPoint: new asn1X509.DistributionPointName({
fullName: [
new asn1X509.GeneralName({
uniformResourceIdentifier: "https://some.com/crl",
})
],
})
})
]);
const cert = await x509.X509CertificateGenerator.createSelfSigned({
serialNumber: "01",
name: "CN=Test",
notBefore: new Date("2020/01/01"),
notAfter: new Date("2020/01/02"),
signingAlgorithm: alg,
keys,
extensions: [
new x509.BasicConstraintsExtension(true, 2, true),
new x509.ExtendedKeyUsageExtension(["1.2.3.4.5.6.7", "2.3.4.5.6.7.8"], true),
new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
new x509.Extension(asn1X509.id_ce_cRLDistributionPoints, false, AsnConvert.serialize(crlDistPtr)),
]
});
console.log(cert.toString("pem"));
Thanks for the heads up :)
Got it the same with
const crlDistributionPoints = new CRLDistributionPoints({
distributionPoints: [new DistributionPoint({
distributionPoint: [new GeneralName({type: 6, value: config.crlDistributionPoint})], // URI type
cRLIssuer: [new GeneralName({type: 1, value: config.issuerName})] // Name type
})]
});
certificate.extensions.push(new Extension({
extnID: '2.5.29.31',
critical: false,
extnValue: crlDistributionPoints.toSchema().toBER(false),
parsedValue: crlDistributionPoints
}));
Although I'll admit x509 lib reduces code length!
Hi,
I've recently started to use your lib rather than node-forge to create certificates, so as to register the CRL distribution endpoint inside (and by the way, the CRL creation itself works fine). However, the certificates I get are invalid and I can't understand why. Could this be because I use node-webcrypto-ossl as provider? This is indeed heavily based on your "Certificate complex example", hence the question. Again, the CRL emitting part works fine.
The following code gives you a reproducible example: