search

PeculiarVentures / x509

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
https://peculiarventures.github.io/x509/
MIT License
86 stars 14 forks source link

Certificate chain that validated in v1.9.4 no longer does in v1.9.5 #67

Closed jstayton closed 9 months ago

jstayton commented 1 year ago

Hey @microshine – I updated to v1.9.5 today and found that #63 broke a chain that successfully validated in v1.9.4.

This is in Node.js v16 using the Web Crypto API module (import { webcrypto } from 'crypto').

Here's the error:

DOMException [NotSupportedError]: Unrecognized namedCurve
    at new DOMException (node:internal/per_context/domexception:53:5)
    at __node_internal_ (node:internal/util:505:10)
    at Object.ecImportKey (node:internal/crypto/ec:170:11)
    at SubtleCrypto.importKey (node:internal/crypto/webcrypto:541:10)
    at PublicKey.export (/Users/jstayton/Code/lens-api/node_modules/@peculiar/x509/build/x509.cjs.js:1289:30)
    at X509ChainBuilder.findIssuer (/Users/jstayton/Code/lens-api/node_modules/@peculiar/x509/build/x509.cjs.js:2340:59)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async X509ChainBuilder.build (/Users/jstayton/Code/lens-api/node_modules/@peculiar/x509/build/x509.cjs.js:2305:26)

Here are the X509Certificate objects:

X509Certificate {
  rawData: ArrayBuffer {
    [Uint8Contents]: <30 82 02 e3 30 82 02 69 a0 03 02 01 02 02 06 01 7b e0 d4 df b3 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 4f 31 23 30 21 06 03 55 04 03 0c 1a 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 43 41 20 31 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 13 30 11 06 03 55 ... 643 more bytes>,
    byteLength: 743
  },
  tbs: ArrayBuffer {
    [Uint8Contents]: <30 82 02 69 a0 03 02 01 02 02 06 01 7b e0 d4 df b3 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 4f 31 23 30 21 06 03 55 04 03 0c 1a 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 43 41 20 31 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 13 30 11 06 03 55 04 08 0c 0a ... 521 more bytes>,
    byteLength: 621
  },
  serialNumber: '017be0d4dfb3',
  subjectName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(4) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  subject: 'CN=a203e1588ab36ae2ffc362491c2948df5d03f3ed048d0c58a59c9e085724353c, OU=AAA Certification, O=Apple Inc., ST=California',
  issuerName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(3) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  issuer: 'CN=Apple App Attestation CA 1, O=Apple Inc., ST=California',
  signatureAlgorithm: { name: 'ECDSA', hash: { name: 'SHA-256' } },
  signature: Uint8Array(103) [
     48, 101,   2,  49,   0, 208,  64, 201,  24, 104,  16, 199,
     13,  42,   4,  49, 154,  56, 116, 122, 238,  30, 163, 218,
    163,  88,   5,  15,  21, 174, 134, 158,  25,   7, 184, 211,
    103, 252, 193,  63, 228, 194, 235,  27,  55, 213, 177, 195,
    111, 223,  82, 218, 192,   2,  48,  91, 142, 216, 103, 158,
     93,  89, 100, 104, 191, 133, 168, 167, 174, 232, 168, 228,
      6, 240, 223, 117, 197, 232, 126,  10, 212,  36, 100, 232,
    108, 195,  45, 172,  49, 191,  63, 209, 120, 167,   0, 255,
     17,  49,  27,  40,
    ... 3 more items
  ],
  notBefore: 2021-09-12T20:24:12.000Z,
  notAfter: 2021-09-15T20:24:12.000Z,
  extensions: Extensions(5) [
    BasicConstraintsExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.19',
      critical: true,
      value: [ArrayBuffer],
      ca: false,
      pathLength: undefined
    },
    KeyUsagesExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.15',
      critical: true,
      value: [ArrayBuffer],
      usages: 15
    },
    Extension {
      rawData: [ArrayBuffer],
      type: '1.2.840.113635.100.8.5',
      critical: false,
      value: [ArrayBuffer]
    },
    Extension {
      rawData: [ArrayBuffer],
      type: '1.2.840.113635.100.8.7',
      critical: false,
      value: [ArrayBuffer]
    },
    Extension {
      rawData: [ArrayBuffer],
      type: '1.2.840.113635.100.8.2',
      critical: false,
      value: [ArrayBuffer]
    }
  ],
  publicKey: PublicKey {
    rawData: ArrayBuffer {
      [Uint8Contents]: <30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 09 1a ae 9f d2 0b 89 e6 6b ab 68 3e 70 e1 6d 0f b1 2f 8b 4b bd c9 d2 54 ec 15 2c b4 fc 4c 8d fb e1 49 0d 90 34 80 10 82 08 6c 49 58 7e 2c 5b 90 2b 80 2d 1f f3 e9 36 59 51 d2 3e 1d d2 f8 75 e3>,
      byteLength: 91
    },
    algorithm: { name: 'ECDSA', namedCurve: 'P-256' },
    tag: 'PUBLIC KEY'
  },
  tag: 'CERTIFICATE'
}

X509Certificate {
  rawData: ArrayBuffer {
    [Uint8Contents]: <30 82 02 43 30 82 01 c8 a0 03 02 01 02 02 10 09 ba c5 e1 bc 40 1a d9 d4 53 95 bc 38 1a 08 54 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 52 31 26 30 24 06 03 55 04 03 0c 1d 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 52 6f 6f 74 20 43 41 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c ... 483 more bytes>,
    byteLength: 583
  },
  tbs: ArrayBuffer {
    [Uint8Contents]: <30 82 01 c8 a0 03 02 01 02 02 10 09 ba c5 e1 bc 40 1a d9 d4 53 95 bc 38 1a 08 54 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 52 31 26 30 24 06 03 55 04 03 0c 1d 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 52 6f 6f 74 20 43 41 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e ... 360 more bytes>,
    byteLength: 460
  },
  serialNumber: '09bac5e1bc401ad9d45395bc381a0854',
  subjectName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(3) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  subject: 'CN=Apple App Attestation CA 1, O=Apple Inc., ST=California',
  issuerName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(3) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  issuer: 'CN=Apple App Attestation Root CA, O=Apple Inc., ST=California',
  signatureAlgorithm: { name: 'ECDSA', hash: { name: 'SHA-384' } },
  signature: Uint8Array(104) [
     48, 102,   2,  49,   0, 187, 190, 136, 141, 115, 141,   5,
      2, 207, 188, 253, 102, 109,   9,  87,  80,  53, 188, 214,
    135,  44,  63, 132,  48,  73,  38,  41, 237, 209, 249,  20,
    232, 121, 153,  28, 154, 232, 181, 174, 248, 211, 168,  84,
     51, 247, 182,  13,   6,   2,  49,   0, 171,  56, 237, 208,
    204, 129, 237,   0, 164,  82, 195, 186,  68, 249, 147,  99,
    101,  83, 254, 204,  41, 127,  46, 180, 223, 159,  94, 190,
     90,  74, 202, 182, 153,  92,  75, 130,  13, 249,   4,  56,
    111, 120,   7, 187,
    ... 4 more items
  ],
  notBefore: 2020-03-18T18:39:55.000Z,
  notAfter: 2030-03-13T00:00:00.000Z,
  extensions: Extensions(4) [
    BasicConstraintsExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.19',
      critical: true,
      value: [ArrayBuffer],
      ca: true,
      pathLength: 0
    },
    AuthorityKeyIdentifierExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.35',
      critical: false,
      value: [ArrayBuffer],
      keyId: 'ac91105333bdbe6841ffa70ca9e5faeae5e58aa1'
    },
    SubjectKeyIdentifierExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.14',
      critical: false,
      value: [ArrayBuffer],
      keyId: '3ee35d1c0419a9c9b431f88474d6e1e15772e39b'
    },
    KeyUsagesExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.15',
      critical: true,
      value: [ArrayBuffer],
      usages: 96
    }
  ],
  publicKey: PublicKey {
    rawData: ArrayBuffer {
      [Uint8Contents]: <30 76 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 00 22 03 62 00 04 ae 5b 37 a0 77 4d 79 b2 35 8f 40 e7 d1 f2 26 26 f1 c2 5f ef 17 80 2d ea b3 82 6a 59 87 4f f8 d2 ad 15 25 78 9a a2 66 04 19 12 48 b6 3c b9 67 06 9e 98 d3 63 bd 5e 37 0f bf a0 8e 32 9e 80 73 a9 85 e7 74 6e a3 59 a2 f6 6f 29 db 32 ... 20 more bytes>,
      byteLength: 120
    },
    algorithm: { name: 'ECDSA', namedCurve: 'P-384' },
    tag: 'PUBLIC KEY'
  },
  tag: 'CERTIFICATE'
}

X509Certificate {
  rawData: ArrayBuffer {
    [Uint8Contents]: <30 82 02 21 30 82 01 a7 a0 03 02 01 02 02 10 0b f3 be 0e f1 cd d2 e0 fb 8c 6e 72 1f 62 17 98 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 52 31 26 30 24 06 03 55 04 03 0c 1d 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 52 6f 6f 74 20 43 41 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c ... 449 more bytes>,
    byteLength: 549
  },
  tbs: ArrayBuffer {
    [Uint8Contents]: <30 82 01 a7 a0 03 02 01 02 02 10 0b f3 be 0e f1 cd d2 e0 fb 8c 6e 72 1f 62 17 98 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 52 31 26 30 24 06 03 55 04 03 0c 1d 41 70 70 6c 65 20 41 70 70 20 41 74 74 65 73 74 61 74 69 6f 6e 20 52 6f 6f 74 20 43 41 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e ... 327 more bytes>,
    byteLength: 427
  },
  serialNumber: '0bf3be0ef1cdd2e0fb8c6e721f621798',
  subjectName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(3) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  subject: 'CN=Apple App Attestation Root CA, O=Apple Inc., ST=California',
  issuerName: Name {
    extraNames: NameIdentifier { items: {} },
    asn: Name(3) [
      [RelativeDistinguishedName],
      [RelativeDistinguishedName],
      [RelativeDistinguishedName]
    ]
  },
  issuer: 'CN=Apple App Attestation Root CA, O=Apple Inc., ST=California',
  signatureAlgorithm: { name: 'ECDSA', hash: { name: 'SHA-384' } },
  signature: Uint8Array(103) [
     48, 101,   2,  48,  66,   1,  70, 156,  28, 175, 178,  37,
     91, 165,  50, 176,  74,   6, 180, 144, 253,  30, 240,  71,
    131,  75, 143, 172,  66, 100, 239, 111, 187, 231, 231, 115,
    185, 248,  84,  87, 129, 226, 225, 164, 157,  58, 202, 192,
    185,  62, 179, 178,   2,  49,   0, 167, 149,  56, 196,  56,
      4, 130,  89,  69, 236,  73, 247,  85, 193,  55, 137, 236,
     89, 102, 210, 158,  98, 122, 106, 182,  40, 213, 163,  33,
    107, 105, 101,  72, 201, 223, 221, 129, 169, 230, 173, 219,
    130, 213, 185, 147,
    ... 3 more items
  ],
  notBefore: 2020-03-18T18:32:53.000Z,
  notAfter: 2045-03-15T00:00:00.000Z,
  extensions: Extensions(3) [
    BasicConstraintsExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.19',
      critical: true,
      value: [ArrayBuffer],
      ca: true,
      pathLength: undefined
    },
    SubjectKeyIdentifierExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.14',
      critical: false,
      value: [ArrayBuffer],
      keyId: 'ac91105333bdbe6841ffa70ca9e5faeae5e58aa1'
    },
    KeyUsagesExtension {
      rawData: [ArrayBuffer],
      type: '2.5.29.15',
      critical: true,
      value: [ArrayBuffer],
      usages: 96
    }
  ],
  publicKey: PublicKey {
    rawData: ArrayBuffer {
      [Uint8Contents]: <30 76 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 00 22 03 62 00 04 45 31 e1 98 b5 b4 ec 04 da 15 02 04 57 04 ed 4f 87 72 72 d7 61 35 b2 61 16 cf c8 8b 61 5d 0a 00 07 19 ba 69 85 8d fe 77 ca a3 b8 39 e0 20 dd d6 56 14 14 04 70 28 31 e4 3f 70 b8 8f d6 c3 94 b6 08 ea 2b d6 ae 61 e9 f5 98 c1 2f 46 ... 20 more bytes>,
      byteLength: 120
    },
    algorithm: { name: 'ECDSA', namedCurve: 'P-384' },
    tag: 'PUBLIC KEY'
  },
  tag: 'CERTIFICATE'
}
microshine commented 9 months ago

I'm sorry for not responding to your message sooner. I have pinpointed and rectified the error that was affecting the module's performance during the chain construction. Moreover, I've added a test to emulate the problem you encountered.

The latest release, @peculiar/x509@1.9.6, is now available.

jstayton commented 8 months ago

That fixed it. Thank you!