search

PeculiarVentures / x509

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
https://peculiarventures.github.io/x509/
MIT License
78 stars 10 forks source link

can not set expiry of a Self signed certificate after 2049-12-31T23:59:59Z #36

Closed ukrocks007 closed 1 year ago

ukrocks007 commented 1 year ago

If I create a certificate with the following code snippet and check the notAfter of the resulting publicKey it returns 'Bad time value'.

So the max notAfter is new Date('2049-12-31T23:59:59Z')

const cert = await x509.X509CertificateGenerator.createSelfSigned({
    serialNumber: '01',
    notBefore: new Date(),
    notAfter: new Date('2149-12-31T23:59:59Z'),
    signingAlgorithm: alg,
    keys: keys,
    extensions,
  });

can we make this work for dates after 2049-12-31T23:59:59Z

ukrocks007 commented 1 year ago

looks like this is working with node-forge

var forge = require('node-forge');
const { X509Certificate } = require('crypto');

var pki = forge.pki;
function createPEM(date) {
    var keys = pki.rsa.generateKeyPair(2048);
    var cert = pki.createCertificate();
    cert.publicKey = keys.publicKey;
    cert.serialNumber = '01';
    cert.validity.notBefore = new Date();
    cert.validity.notAfter = date ? new Date(date) : new Date('2049-12-31T23:59:59Z');
    var attrs = [{
        name: 'commonName',
        value: 'demo.com'
    }, {
        name: 'countryName',
        value: 'US'
    }, {
        shortName: 'ST',
        value: 'Virginia'
    }, {
        name: 'localityName',
        value: 'Blacksburg'
    }, {
        name: 'organizationName',
        value: 'Test'
    }, {
        shortName: 'OU',
        value: 'Test'
    }];
    cert.setSubject(attrs);
    cert.setIssuer(attrs);
    cert.setExtensions([{
        name: 'basicConstraints',
        cA: false
    }, {
        name: 'keyUsage',
        keyCertSign: true,
        digitalSignature: true,
        nonRepudiation: true,
        keyEncipherment: true,
        dataEncipherment: true
    }, {
        name: 'extKeyUsage',
        serverAuth: true,
        clientAuth: true,
        codeSigning: true,
        emailProtection: true,
        timeStamping: true
    }, {
        name: 'nsCertType',
        client: true,
        server: true,
        email: true,
        objsign: true,
        sslCA: true,
        emailCA: true,
        objCA: true
    }, {
        name: 'subjectAltName',
        altNames: [{
            type: 6,
            value: 'http://example.org/webid#me'
        }, {
            type: 7,
            ip: '127.0.0.1'
        }]
    }, {
        name: 'subjectKeyIdentifier'
    }]);
    // self-sign certificate
    cert.sign(keys.privateKey);

    // convert a Forge certificate to PEM
    var pem = pki.certificateToPem(cert);
    return pem;
}

var pem = createPEM();

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);

var pem = createPEM('2100-12-31T23:59:59Z');

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);

var pem = createPEM('3000-12-31T23:59:59Z');

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);
microshine commented 1 year ago

Fixed in @peculiar/x509@1.8.4