search

nginx / njs-acme

Nginx NJS module runtime to work with ACME providers like Let's Encrypt for automated no-reload TLS certificate issue/renewal.
Apache License 2.0
57 stars 9 forks source link

Enable usage of provided CryptoKey for Certificate Signing Request #37

Open ivanitskiy opened 1 year ago

ivanitskiy commented 1 year ago

Is your feature request related to a problem? Please describe

Currently createCsr doesn't allow parameterized generation of Private/Public Key pair, where Public Key is used in CSR extensions. the interface looks like this:

export async function createCsr(params: {
  keySize?: number
  commonName: string
  altNames: string[]
  country?: string
  state?: string
  locality?: string
  organization?: string
  organizationUnit?: string
  emailAddress?: string
}): Promise<{ pkcs10Ber: ArrayBuffer; keys: Required<CryptoKeyPair> }> {
  // TODO:  allow to provide keys in addition to always generating one
  const { privateKey, publicKey } =
    (await generateKey()) as Required<CryptoKeyPair>
....
  addSubjectAttributes(pkcs10.subject.typesAndValues, params)
  await addExtensions(pkcs10, params, publicKey)
  await signCsr(pkcs10, privateKey)

So we need to provide a way to allow using existing Key pair and/or allow parameterized algo generation of the pair.

This would allow to generate keys with EC for example, as RSA is hard coded for now as the following:


export async function generateKey(): Promise<CryptoKey | CryptoKeyPair> {
  const keys = await crypto.subtle.generateKey({
  name: 'RSASSA-PKCS1-v1_5',
  hash: 'SHA-256',
  publicExponent: new Uint8Array([1, 0, 1]),
  modulusLength: 2048,
}, true, [
    'sign',
    'verify',
  ])
  return keys
}

Additional context

Currently people can't use their own public/public keys (e.g. password protected).