Open csuermann opened 2 years ago
Current version doesn't check certificate revocations.
You can use current API for path building. And check by yourself that the last cert in chain is trusted
const chain = new x509.X509ChainBuilder({
certificates: certs,
});
const items = await chain.build(cert);
We are going to extend current API for chain validation described in RFC5280
Could use some better examples of this, ideally a simple 2 layer example.
import * as x509 from "@peculiar/x509";
// Read certificates
const rootCert = new x509.X509Certificate(rootRaw);
const ca1Cert = new x509.X509Certificate(ca1Raw);
const ca2Cert = new x509.X509Certificate(ca2Raw);
const ca3Cert = new x509.X509Certificate(ca3Raw);
// ...
const leafCert = new x509.X509Certificate(leafRaw);
// Build chain
const certificates = [ca3Cert, ca2Cert, ca1Cert, /* ... */, rootCert];
const chain = new x509.X509ChainBuilder({
certificates,
});
const items = await chain.build(leafCert);
// Print chain
for (const cert of items) {
console.log(cert.subject);
}
console.log(items.toString("pem-chain"));
CN=Client #1
CN=Intermediate CA #1.1.1
CN=Intermediate CA #1.1
CN=Intermediate CA #1
CN=Root CA
-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZJbnRl
...
5L4AqKQK14RU+4lFO5qhlaVSQd0PbWZoE1VOQG/5Chi8zxgMzus=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRJbnRl
...
76pvUKAWXKUUPCebfTawHY9q1ASQEsnCIHtQ4/WFlSdFbns2vxrKR1y5EpNanpn7
SA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJJbnRl
...
LsK2eGf1WtuvsrNUjmBie9/N+KpClRycBl2uRnOJMB/hb2IYJJXVIu8xsQJL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
NEubGPJVpBz7zftQ1SbxWPjTXYF2f6QdwpPZ1wwPigg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICwDCCAaigAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290
...
CtFu2HdSv7/M1NcNnueecn6B4YUCY4mueTXVsV9JJKM1T8XU
-----END CERTIFICATE-----
Thank you!
I was able to figure it out after I left this comment, but your code is probably better for future readers than mine would have been.
I suggest closing this issue.
I would like to check whether a given x.509 certificate has been signed by a known root certificate (CA). Can this library be used for that?