@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
I'm not quite sure what's going on here, but sometimes I can generate a self-signed x509 certificate that node's TLSSocket rejects with an ERR_OSSL_ASN1_ILLEGAL_PADDING error.
I think it's related to the serial number field, some values seem to not work
Here's a reproduction. The serial numbers from above cause new TLSSocket to throw Error: error:068000DD:asn1 encoding routines::illegal padding, the default serial number of "01" does not.
import * as x509 from '@peculiar/x509'
import { Crypto } from '@peculiar/webcrypto'
import { Socket } from 'net'
import { TLSSocket } from 'tls'
const crypto = new Crypto()
x509.cryptoProvider.set(crypto)
const keys = await crypto.subtle.generateKey({
name: 'ECDSA',
namedCurve: 'P-256',
}, true, ['sign'])
const cert = await x509.X509CertificateGenerator.createSelfSigned({
// will throw
serialNumber: '80048117884272',
// does not throw
//serialNumber: '01',
// ...other certificate parameters
name: 'CN=Test, O=Дом',
notBefore: new Date('2020/01/01'),
notAfter: new Date('2020/01/02'),
signingAlgorithm: {
name: 'ECDSA',
hash: 'SHA-256',
},
keys: keys
})
// throws with certain serial numbers
new TLSSocket(new Socket(), {
cert: cert.toString(),
key: await privateKeyToPEM(keys)
})
// helper to transform a private key to PEM format
async function privateKeyToPEM (keys) {
const arrayBuffer = await crypto.subtle.exportKey('spki', keys.privateKey)
let str = Buffer.from(arrayBuffer).toString('base64')
let finalString = '-----BEGIN PRIVATE KEY-----\n'
while (str.length > 0) {
finalString += str.substring(0, 64) + '\n'
str = str.substring(64)
}
finalString = finalString + '-----END PRIVATE KEY-----'
return finalString
}
I'm not quite sure what's going on here, but sometimes I can generate a self-signed x509 certificate that node's TLSSocket rejects with an
ERR_OSSL_ASN1_ILLEGAL_PADDING
error.I think it's related to the serial number field, some values seem to not work
Here are some example certificates:
Serial number
80048117884272
Serial number
80284629184668
Serial number
80290967596123
Serial number
8070459553297620
Weirdly they all begin with
80
, I don't know if that means anything or it's just a coincidence.Serial number
801234
Here's a reproduction. The serial numbers from above cause
new TLSSocket
to throwError: error:068000DD:asn1 encoding routines::illegal padding
, the default serial number of"01"
does not.